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(54) AUTHENTICATION CARD SYSTEM 

(57) Biological individuality data for use in distin- 
guishing the individuality of a user (8) are picked up, and 
a user authentication card (7) with at least part of the 
biological individuality data recorded thereon is issued. 
The contents of the record in the user authentication 
card (7) are read out by an authentication-card reader 
(41), and compared with biological individuality data 
input by the user through an identity acquisition device. 
Such personal authentication is directly executed at an 
authentication access terminal (4). The system also 
includes certification authorities (2), (3), each of which 
records part of the biological individuality data so that 
the certification authorities can additionally authenticate 
personal identification in response to inquiry from the 
authentication access terminal (4), thus improving the 
reliability The authentication IC card used in the system 
is provided with a CPU, an authentication file storing 
identity information, and an application file classified 
into files according to the depth of authentication. 
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Description 

Technical Field 

[0001] This invention relates to a user authentica- 
tion system for execution of individual authentication in 
electronic information exchange, electronic commercial 
transaction and so on, a user authentication card and a 
user authentication device for use in the user authenti- 
cation system, and a lock control system to which the 
user authentication system is applied and in which only 
the authorized persons are allowed to open or close a 
lock. 

Background Arts 

[0002] The kinds of information accessible through 
communication networks have become extremely 
diverse in recent years, which range from electronic 
commerce such as product trading or credit to on-line 
medical diagnoses or individual medical records, and to 
perusal of registered items or the issue of certificates 
from public offices. The application and utilization of 
such information is increasing for years. 
[0003] Such personal information has something to 
do with individual's privacy, and it is often prohibited 
from being informed to others if there is the danger of 
leaking the information to public. To establish a more 
convenient information- based society associated with 
advances in electronic information communication net- 
works, there has been a demand for a highly reliable 
user authentication system capable of making a clear 
distinction between individuals. 
[0004] Such a mechanism for authenticating per- 
sonal identity can also be used in a lock device to pro- 
hibit entrance of unauthorized persons into a laboratory, 
a business office, or a house, and for an improvement in 
security of electronic money. 

[0005] The password has been most commonly 
used in authenticating user identity. The password is 
easy to use, but it is hard to eliminate thieves who steal 
the user's passwords. To prevent password thefts, the 
user takes care in protecting the security of password 
such as to use a long password, to select a password 
difficult to guess, or to change the password on occa- 
sion. Cryptography has also widely been used for secu- 
rity in communications, which encrypts communication 
contents to prevent others from recognizing the con- 
tents easily even when data leakage occurs. 
[0006] Nevertheless, such security measures can- 
not be perfect, and the password may be stolen by oth- 
ers through wiretapping communication, cracking the 
encrypted code, or stealing a look at the password. Fur- 
ther, the more complicated the password is, the more 
difficult for the user to remember. It is also essential that 
any complicated password can be duplicated by any 
means as soon as the password is stored as digital 
data. 



[0007] To prevent others from pretending th6 user 
and authenticate user identity securely, there has been 
considered another method of authenticating user iden- 
tity based on information indicative of so-called biologi- 

5 cal individuality of the user such as a fingerprint or 
voiceprint. However, the biological individuality data has 
generally a large quantity of information, and this 
requires extremely dense traffic flows between an 
authentication access terminal and an certification 

10 authority in which the user's biological information is 
stored. Such dense traffic flows may cause a traffic jam 
in a communication channel and increase of communi- 
cation time, and it is hard to apply this method to practi- 
cal use except for special environments. In the method, 

15 other problems also remain with the data managing 
place and managing method. 

[0008] In recent years, a lock control system has 
been widely used for security in a research center, a 
business office, a laboratory, a document memory 
20 room, and a house or apartment building. In the lock 
control system, persons permitted to enter a specific 
place are limited, and a lock is opened only when a card 
issued to authorized persons has passed in authentica- 
tion. 

25 [0009] it is also essential to authenticate personal 
identity accurately in the case where only the person 
concerned can receive services such as electronic 
commercial transaction as product trading or credit, on- 
line medical diagnoses, perusal of individual medical 

30 records or registered items from public offices, or issue 
of certificates. Such transactions are increasing to be 
conducted by accessing information through a commu- 
nication network instead of face-to-face communication. 
[0010] In conducting such transactions, it is neces- 

35 sary to judge whether the person concerned is the 
authentic user or not. The judgment must be accurately 
made without face-to-face talk. In these cases, a card 
can be used to authenticate personal identity, and this 
makes it possible to improve the reliability. 

40 [0011] Since the level of security varies according 
to the type of transaction, the depth of personal authen- 
tication varies. For.example, in case of a sale of cheap 
products, it may be required nothing but the approval of 
the authenticity of the card. On the other hand, in case 

45 of the issue of medical records, it may be desired to use 
the authenticity of the card together with biological infor- 
mation capable of authenticating personal identity 
securely such as a photograph of the face, a fingerprint, 
or a voiceprint. 

so [0012] A key card for use in lock control system or 
entrance control system is generally issued for each 
lock and the key card is to be carried or charged by the 
respective authorized persons. If many rooms are sub- 
ject to entrance control, a highly qualified person must 

55 carry many key cards, and this makes the charge of 
keys complicated. On the other hand, plural qualified- 
persons may often share one key card with each other. 
In this case, unauthorized persons may easily steal and 



EP 1 085 424 A1 



4 



improperly use the password or the key card unless 
being strictly cared, and this will be more difficult to keep 
security. 

[0013] A business card is also issued for each busi- 
ness transaction by the consent of all the parties, and 
thereby the transaction cards carried by one person 
tend to be enormous in number before he is aware. 
[0014] The use of a card as a key is applied to other 
cases, for example, lockers for rent. In this case, the key 
is prepared for each locker and lent to the user. Since 
even a person other than the genuine user can open the 
locker by the lent key, the stored things may be stolen by 
others, thus the security is insufficient. 
[0015] In case of safe-deposit boxes with higher 
security, a safe box is not unlocked by the key handed 
over to the user at the time of lending the safe box 
unless another key held by a superintendent are used 
together. The trouble with this system is that the super- 
intendent must attend to unlock every safe box. In addi- 
tion, a stolen or duplicated key can be used to unlock a 
corresponding safe box, and the security is still insuffi- 
cient. 

[0016] Some safe-deposit box systems provide 
each safe box with a dial or keyboard for entering a code 
to the lock. In this case, the user inputs a code at the 
time of locking the safe box to prohibit the safe box from 
being opened without inputting the same code. This 
makes it possible for the user to eliminate the need to 
carry a key. Since the user unlocks the safe box based 
on a code set at each use of the safe box be the user, 
the security is high despite its ease of use. It is never- 
theless possible for others to steal a look at the code or 
to decipher the code by guess or trial for unlocking the 
safe box. 

[0017] Further, there is another type of lock control 
system, in which entrance of persons into a laboratory, 
a document memory room, or a medicine memory room 
is limited to only the authorized persons for security. In 
this case, the lock is not opened unless any authorized 
person has passed in authenticating personal identity 
with a card issued to the person. However, if the'card is 
carelessly charged or kept by a person selected in the 
company, unauthorized persons may possibly enter the 
place freely using the card. 

[0018] Since the level of security varies depending 
on the lock to which a user accesses, a facility requiring 
low level security should avoid such excessively high 
security system as to require the user to carry out 
extremely complicated steps. For example, secure 
authentication even accompanied with complicated 
steps is necessary to open a memory shelf keeping 
deadly poisons, while easy authentication is enough for 
normal medicines as long as the amount of takeout is 
cared. 

[0019] Even in case of safe-deposit boxes, the level 
of security varies according to the importance of stored 
things. For example, expensive property or valuables for 
which there are no substitutes differ in level of security 



from replaceable goods. 

[0020] As for the type of card, a card with a CPU 
and a memory incorporated therein, such as an IC card, 
has been used as a credit card or electronic-cash card 

5 in recent years. 

[0021] The IC card has features to conduct compli- 
cated computations required for a high level of authenti- 
cation, and to easily rewrite or renew recorded contents. 
Such features are adequate to a card for record of 

10 details about sequential transactions one by one, or for 
use as electronic money. 

[0022] Further, the memory capacity built in the IC 
card is increasing, and this makes it possible for users 
to carry the various personal information by carrying the 

15 card. Such personal information convenient to carry 
around includes an ID number of insurance deed, a 
user's number of credit card, a personnel card number 
or an individual history in the company, balance of elec- 
tronic money account, details of a family register, a 

20 medical history, an address book, and so on. Such per- 
sonal information has something to do with individual's 
privacy, and may often require its concealability. 
[0023] Since such an authentication IC card 
authenticates personal identity based on the informa- 

25 tion recorded thereon, the security of the card is impor- 
tant. 

[0024] It is therefore an object of the invention to 
provide a user authentication system that can obtain a 
quick response while retaining a high level of security in 

30 authenticating personal identity for electronic informa- 
tion exchange or electronic business transaction, and a 
user authentication card and a user authentication 
device for use in the user authentication system. 
[0025] It is another object of the invention to provide 

35 an integrated authentication IC card that can combine 
various authentication cards issued for respective trans- 
actions for authenticating eligible persons so as to 
improve security in each transaction or lock system. Still 
another object of the invention is to provide an authenti- 

40 cation IC card capable of assuring security of access to 
information stored in the IC card itself while seeking 
complete privacy protection. 

[0026] It is yet another object of the invention to pro- 
vide a lock control system offering a superior level of 
45 security, which can strictly judge an authorized person 
while setting the depth of authentication of the author- 
ized person as required. 

Disclosure of Invention 

50 

[0027] A user authentication system of the inven- 
tion includes a registration station, an authentication 
card issuing station, an authentication access terminal, 
and at least one certification authority. The registration 
55 station is provided with an information acquisition 
device for obtaining biological individuality data for use 
in distinguishing the individual of users. The authentica- 
tion card issuing station issues to the user a user 
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authentication card with at least a part of the biological 
individuality data recorded thereon. The authentication 
access terminal is provided with an authentication-card 
reader for reading the information of the user authenti- 
cation card and an identity acquisition device for obtain- 
ing biological individuality data of the user. The 
certification authority is connected to the authentication 
access terminal through an information communication 
channel, and holds the record of the remaining part of 
the biological individuality data that have obtained at the 
registration station but not recorded in the user authen- 
tication card. The recorded contents read out by the 
authentication-card reader of the authentication access 
terminal are compared with the biological individuality 
data of the user obtained on the spot through the iden- 
tity acquisition device in order to authenticate identifica- 
tion of the user, and if a higher level of authentication is 
required, the certification authority compares the biolog- 
ical individuality data of the user obtained at the authen- 
tication access terminal with the part of the biological 
individuality data missing in the user authentication card 
and sends the comparison result to the authentication 
access terminal for further authentication, in response 
to inquiry from the authentication access terminal. 
[0028] In this specification, the biological individual- 
ity data denote characters unique to an individual distin- 
guishable from others because of the nature that cannot 
be controlled by human will. The biological individuality 
data include not only natural characteristics such as a 
fingerprint or palm-print, an iris or retina pattern, and 
DNA information, but also acquired characteristics from 
habit such as handwriting or a voiceprint. There may be 
the potential of finding other biological individuality data 
recognizable more easily and securely. 
[0029] In the second aspect of the invention, a user 
authentication system includes a registration station, an 
authentication card issuing station, and an authentica- 
tion access terminal, in which a user authentication card 
has a computing function. When biological individuality 
data are obtained at the authentication access terminal 
and input to the user authentication card, the computing 
function of the user authentication card compares the 
biological individuality data recorded in the user authen- 
tication card with the biological individuality data 
obtained on the spot through the identity acquisition 
device, and if required, further integrates it with the 
authentication result provided from an certification 
authority, thus authenticating the user as the true holder 
of the user authentication card. 
[0030] The user authentication system of the sec- 
ond aspect of the invention preferably includes at least 
one certification authority connected to the authentica- 
tion access terminal through an information communi- 
cation channel. Most of the biological individuality data 
obtained at the registration station is recorded in the 
user authentication card, while the remaining part that 
has not been recorded in the user authentication card is 
shared to be recorded at each certification authority. It is 



preferable that the certification authority compares the 
biological individuality data of the user obtained at the 
authentication access terminal with the part of the bio- 
logical individuality data lacked in the user authentica- 

5 tion card in response to inquiry from authentication 
access terminal for further authentication. 
[0031] in the user authentication system, the certifi- 
cation authority may be provided with a memory device 
for recording the biological individuality data obtained at 

w the registration station. 

[0032] In the user authentication system of the 
invention, the user authentication card records thereon 
at least a part of the biological individuality data that dis- 
tinguishes the individuality of a user from others, and 

15 when the user needs to be authenticated, the biological 
individuality data in the user authentication card are 
compared with the biological individuality data input by 
the user on the spot, so that only the true user can pass 
in authentication test, thereby preventing others from 

20 pretending the user. 

[0033] Not only is it too hard to reproduce the origi- 
nal forms of biological individuality from its digitized 
data, but also others cannot duplicate the biological 
individuality even if they can reproduce the digitized 

25 data. This makes it possible to offer a superior level of 
reliability of the user authentication. 
[0034] In particular, since the biological individuality 
data for reference are recorded in the user authentica- 
tion card, the user to be authenticated can be directly 

30 confirmed with his or her identity at the authentication 
access terminal without inquiring the identification from 
the certification authority remote from the authentication 
access terminal. This makes it possible to reduce a 
great deal of time and cost spent on communication 

35 with the certification authority. 

[0035] If the user authentication card is provided 
with a computing function such as a CPU and a RAM by 
which biological individuality data obtained from a user 
who makes use of the user authentication card are input 

AO and checked with those recorded in the user authentica- 
tion card, the load at the authentication access terminal 
and the device cost can be reduced, thereby offering an 
easy-to-use system. Further, the information process- 
ing can be completed inside the user authentication 

45 card to prevent the authentication data from leaking to 
the outside, thereby improving the security. 
[0036] Further, if the biological individuality data are 
divided out between the user authentication card and 
the certification authority, the necessary information is 

so divided, and this makes it hard for others to breaking 
through the entire authentication system even if the part 
of biological individuality data recorded in the authenti- 
cation card can be reproduced from the card, for exam- 
ple. In addition, since the data for use in authenticating 

55 personal identification cannot be duplicated from the 
user authentication card only, a superior level of security 
can be retained. Furthermore, even if the contents of 
the record in the user authentication card are falsified, 



4 



7 



EP1 085 424 A1 



8 



since the information at the certification authority is 
maintained, others cannot pretend to be the proper 
user 

[0037] The process of dividing data according to the 
invention is different from the conventional process in 
that, in stead of judging reintegrated data gathered at 
one place, the authentication access terminal and the 
certification authority independently authenticate per- 
sonal identification based on the biological individuality 
data in hand so that both results can be reflected in the 
authentication. Since the entire original data are never 
reproduced, the concealability of the data can be main- 
tained with a superior level of security 
[0038] Even when someone succeeds to attack the 
certification authority, he cannot falsify the information 
of the user authentication card carried by the user, thus 
retaining the security 

[0039] Further, in case of use of a plurality of certifi- 
cation authorities, each certification authority may 
authenticate personal identification independently in 
response to inquiry from the authentication access ter- 
minal or from another certification authority, in addition 
to the user authentication based on the information of 
the user authentication card. In such a case, if the certi- 
fication authorities hierarchically arranged in the system 
obtain authentication results on step-by-step basis, the 
reliability of the user authentication can further be 
improved. 

[0040] In the user authentication system of the 
invention, pass/fail determination may be selectively 
made by only the authentication result obtained by the 
authentication access terminal based on the informa- 
tion recorded in the user authentication card, or for 
more secure determination by adding the authentication 
results by the certification authority or authorities based 
on the information held in the authority or authorities but 
not recorded in the user authentication card, according 
to the required reliability of the authentication. 
[0041] The level of authentication may be predeter- 
mined for each authentication access terminal or each 
transaction, or it may be set for every transaction by the 
authentication access terminal. Alternatively, it may be 
automatically selected according to the sale price or 
other appropriate guidelines. 

[0042] Further, in this process of dividing informa- 
tion, even when whole biological individuality data are 
used for user authentication, if the authentication is exe- 
cuted at the authentication access terminal deriving 
most of the data from the user authentication card, the 
amount of information exchanged through the commu- 
nication line can be reduced, and hence the traffic flows 
on the communication line and the time spent on inquir- 
ing can be reduced. The division of information has also 
effects on the control of processing performance and 
memory capacity at the certification authority which is 
required to store information of a large number of users 
and to dispose a lot of inquiries. 
[0043] Furthermore, the user authentication system 



may include a registration authority provided with a 
memory device for storing biological individuality data of 
the user obtained at the registration station. The regis- 
tration authority holds the full records of the biological 

5 individuality data of the user obtained at the registration 
station for use in judging the place where unauthorized 
use of data or an abnormal condition has occurred, reis- 
suing a damaged authentication card, or repairing the 
data of the lower certification authorities. The registra- 

10 tion authority may authenticate the user even though he 
or she does not carry the authentication card based on 
the records held in the registration authority with a cer- 
tain degree of reliability For example, if the user have 
had his or her authentication card stolen, the user 

is authenticated based on the data in the registration 
authority can call for suspension of the stolen card and 
reissue of the card. 

[0044] At the registration authority, the memory 
medium recording the biological individuality data may 

20 be removed from the information communication chan- 
nel of the user authentication system so that it can be 
connected only when it is necessary. This makes it pos- 
sible to prevent raid by hackers, and hence the leakage 
and falsification of personal information. For security it 

25 is extremely effective that only a part of the user's bio- 
logical individuality data are recorded in the user 
authentication card and the lower certification authori- 
ties, respectively, so that integrity of the data is not 
allowed to be at one place. 

30 [0045] The biological individuality data used in the 
user authentication system of the invention may include 
handwriting plus the input process. The handwriting well 
represents a biological individuality of each person and 
is effective in preventing others from imitating the indi- 

35 vidual's, and besides, the input device or analyzer is rel- 
atively easy to find. The user can write arbitrary letters 
or figures as his or her identification, but it is more desir- 
able that the user writes his or her signature because of 
its better reproducibility. Others may imitate the written 

40 handwriting, but its input process, such as stroke order 
and stroke pressure, is to do with biological individuality 
of the person and this make is difficult for others to imi- 
tate. Therefore, the use of an on-line input device for 
adding information on the input process to the handwrit- 

45 ing enables a highly reliable authentication. 

[0046] The biological individuality data may also 
include a fingerprint, a voiceprint, an iris or retina pat- 
tern, and DNA information. Further, it is probable to find 
other biological individualities recognizable more easily 

so and securely, in future. 

[0047] The biological individuality data may be 
divided physically as recorded in the user authentication 
card and in the certification authority For example, the 
first half and the second half of the biological individual- 

55 ity data may be recorded in the authentication card and 
in the certification authority respectively, and checked 
separately. Alternatively, the information may be hierar- 
chically divided such that information on the shape of 



5 



9 



EP 1 085 424 A1 



10 



handwriting is recorded in the user authentication card 
and information on the stroke pressure and stroke order 
is recorded in the certification authority. 
[0048] Further, plural kinds of biological individual- 
ity data such as a signature and a voiceprint may be 5 
recorded separately to judge the personal identification 
based on different kinds of information so as to improve 
the reliability. 

[0049] Furthermore, plural kinds of biological indi- 
viduality data may be registered and make different 10 
transaction conducted in response to the type of input 
data. 

[0050] In addition to the normal data of biological 
individuality, other unique information may be used 
together which is effective only in a special case. For 15 
example, in a case where a user is compelled to put his 
or her signature under the threat or duress by another 
person, the user can secretly add a hidden symbol or 
sign in his or her signature to notify a security firm of the 
emergency situation while making the threatener 20 
believe that he or she obediently puts his or her signa- 
ture in usual way. 

[0051] As an option on this scheme, it may make a 
show of normal transactions such as to unlock a door or 
to withdraw cash in order to ensure personal safety in 25 
such an emergency case. Such biological individuality 
data as to use for the emergent purpose may be the 
same type as that of normal data, or combined data of 
plural different types such as to add voice data to a sig- 
nature. Reversely, combined data with special code 30 
data added to dummy data may be used as correct 
authentication data. 

[0052] A user authentication card used in the user 
authentication system of the invention is a memory 
medium provided with a readable memory area which 35 
stores a signal for identifying the authentication card 
and at least part of the biological individuality data for 
distinguishing the individuality of a user from others. 
[0053] The memory medium may be a read-only 
memory medium such as a ROM or CD-ROM, but a wri- aq 
table/readable memory medium may be possibly 
adopted which can add records of transaction details or 
new information because there is less danger of falsify- 
ing the contents of the record indicative of biological 
individuality data of the user therein. 45 
[0054] It is desirable to use a high-security IC card 
having a high counterfeit-proof function and a large data 
space, mounting an intelligent function and an encryp- 
tion system thereon. 

[0055] If an IC card with a CPU and a RAM 50 
mounted thereon is used, the IC card can take biologi- 
cal individuality data of the user in the card and com- 
pare them with checking data stored inside for 
authenticating user identification. In this case, the load 
of the authentication access terminal and the device 55 
cost of the terminal can be reduced. Further, the 
authentication data of the user authentication card can 
be made unreadable from the outside for improving the 



security. 

[0056] The use of an IC card enables to provide a 
multi-purpose card for achieving a high level of personal 
authentication with multiple functions mounted thereon. 
The IC card used here may be a composite type pro- 
vided with a contact type that reads and writes data 
through an external terminal and a non-contact type 
that reads and writes data in a non-contact way without 
the external terminal. 

[0057] In particular, if the information is dividedly 
recorded, since it is useless to falsify the contents of the 
record in the user authentication card, an economical 
and easy-to-use medium such as a floppy disk can be 
used as the user authentication card. There can be also 
used other writable media such as a CD-ROM, a DVD, 
a recording tape, or an MD. 

[0058] The authentication IC card using an IC card 
for authenticating personal identification includes a 
CPU, an authentication file storing identity information, 
and application files classified according to the depth of 
authentication. In this configuration, when requested 
from the outside to present information recorded in any 
of the application files, the CPU compares identity infor- 
mation input from the outside with the identity informa- 
tion stored in the authentication file to confirm the 
authentication of the required level. Then, when an 
acceptance is derived from the comparison, the infor- 
mation of the application file is presented through the 
CPU. 

[0059] In the conventional arts, an individual card 
has been issued for each individual case in which per- 
sonal authentication is required, not only for reasons 
that a simple system makes it easy to handle and that it 
is difficult for various parties to tie up each other, but for 
reasons that various depth of authentication is required 
according to the contents of transactions and a single 
identity information is insufficient to cover various 
depths of authentication. Further, if a card holder has 
one card for plural transactions, technical immaturity 
may give excessive authority to the holder. 
[0060] According to the authentication IC card of 
the invention, the application files in the card are classi- 
fied according to the depth of authentication corre- 
sponding to the confidentiality of each file. When 
requested from the outside to present information 
recorded in any application file, the CPU checks and 
confirms the input identity information. Then, when the 
input identity information is authenticated in the corre- 
sponding depth predetermined for the file, the target 
information in the application file is presented through 
the CPU. 

[0061] The identity information input by the card 
holder on the spot can be checked by an external device 
with the identity information provided from the card or 
prerecorded in the device. The use of functions of the 
external device enables complicated image processing 
or information processing, and this is effective in a case 
where the CPU capacity or memory space of the 
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authentication IC card is not sufficient. Further, the use 
of the identity information dividedly stored in external 
devices assures reliable authentication. 
[0062] The identity information stored in the authen- 
tication file can include biological information for use in 
distinguishing the individuality of an authentic holder of 
the IC card. 

[0063] Some of the application files classified 
according to the depths of authentication may record 
only IDs for use in various transactions. Such IDs 
become effective when the card holder is verified as to 
whether he or she is eligible to access external transac- 
tion information in an external source. 
[0064] Other private information of the holder may 
also be recorded in the application files. Since the 
authentication IC card of the invention has high capabil- 
ity to authenticating personal identification, no one can 
access the personal information of the card without per- 
mission of the holder, and this makes privacy protection 
perfect. 

[0065] . A mechanism may be used together with the 
above mechanisms, in which qualification conditions to 
access each application file are pre-registered so that 
only the qualified persons are allowed to access the cor- 
responding file. The files can be arranged two-dimen- 
sionally in combination with levels of authentication, and 
this makes it possible to respond to more complicated 
requests. 

[0066] When using the authentication IC card of the 
invention, information as an entrance certificate or a 
bank ID is stored in the application files, while authenti- 
cation procedures required for respective transactions 
are specified, at first. Further, identity information to be 
used for authenticating personal identification is stored 
in the authentication file. 

[0067] For example, admission into a certain build- 
ing may require only to carry the authorized authentica- 
tion card without other specific authentication 
requirements, but admission into an office requires the 
user not only to carry the authentication IC card, but 
also to pass in password check for confirming that the 
card holder is authentic. Further, admission into a 
morgue requires stricter authentication to check his or 
her fingerprint. 

[0068] In this case, information indicative of the 
authenticity of the card, the password of the holder, and 
the fingerprint information are recorded in the authenti- 
cation file; while a code signal for opening an entrance 
door of the building, a code signal for opening a door of 
the office, and a code signal for opening a door of the 
morgue are stored in each application file. 
[0069] The person carrying the authentication IC 
card has the card read out by a card reader attached to 
the door. The card reader takes in the card information 
and confirms that the card is authentic and the pass- 
word matches up. If the card has passed in the check, 
the door is opened to get the card holder in. 
[0070] At the door of the office, the card reader is 



equipped with a keyboard on which the card holder 
needs to input the password while having the authenti- 
cation IC card read out. When the authenticity of the 
authentication card is confirmed, and the password 

5 input by the card holder matches with the password 
recorded in the authentication file of the authentication 
IC card, the code signal for opening the door is sent to 
the card reader through the CPU. Then, when the code 
signal is correct, the card holder is allowed to enter the 

10 office. 

[0071] At the door of the morgue, the card reader is 
equipped with a fingerprint reader. The card holder who 
want to enter the room needs to have the authentication 
IC card read out by the card reader and to put his or her 

15 specified finger on the fingerprint reader. When the fin- 
gerprint matches with that recorded in the authentica- 
tion file, the code that instructs opening the door is sent 
to the card reader through the CPU. Then, when the 
card reader judges the code signal to be authentic, the 

20 door is opened to get the card holder in. 

[0072] The same mechanism can be applied to 
financial systems. 

[0073] A credit card may diminish utility if elaborate 
input procedure of a signature is required for every 

25 cheap purchase. On the other hand, expensive pur- 
chases such as jewels and ornaments need to strictly 
authenticate personal identification. Thus, although the 
level of authentication varies corresponding to every 
user's passwords to be output from the application file 

30 according to the type of credit, the authentication IC 
card of the invention can deal with different levels of 
authentication. 

[0074] Further, qualification conditions to access 
each application file can be pre-registered so that only 

35 the qualified persons are allowed to access the corre- 
sponding file, thus limiting information access by the 
card reader only to necessary area in order to prohibit 
excessive disclosure of personal privacy. 
[0075] For example, an undo-a-lock system is 

40 allowed to request only the identity information and the 
unlock code signal, so that the CPU eliminates excess 
access by the system to a file storing medical records. 
In some cases, the CPU may shut down all the informa- 
tion exchange against unauthorized access to prevent 

45 information from getting stolen or falsified. 

[0076] The authentication IC card of the invention 
records a code signal for permitting a certain transac- 
tion or service in the authentication IC card possessed 
by a person qualified for the transaction or service. The 

so authentication card is used to authenticate the person 
carrying the IC card is to be the genuine holder of the 
card each time the transaction or service is conducted. 
[0077] Therefore, the service provider should 
receive the information from the authentication IC card 

55 indicating that the person carrying the card is the 
authentic card holder and that such a code signal as to 
prove the eligibility of the service is recorded in the card. 
On the other hand, the authentication IC card should 
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confirm that the card reader is proper and that the per- 
son carrying the card is the authentic card holder. 
[0078] The authentication IC card of the invention 
stores attributes information of the card holder, includ- 
ing qualification to enter a building or a morgue, a bank 5 
account, possession of credit, a family register or his- 
tory, and the balance of electronic money account, and 
this makes it possible to integrate authentication data 
for all the qualified transactions into a single card. 
[0079] The authentication IC card of the invention 10 
gives transaction qualifications to the card holder, not to 
the card itself, so that it can be operated based on more 
essential confidence compared to the conventional card 
system. It is therefore unnecessary to hold plural cards 
issued for respective services as in the conventional is 
system, and hence unnecessary to strictly control the 
use of the card against unauthorized persons as in case 
of an undo~a-lock card shared with plural persons, for 
example. 

[0080] The authentication IC card of the invention 20 
can authenticate the proper card holder based on only 
the information recorded in the IC card and the informa- 
tion input by the card holder on the spot. Since the card 
security becomes more important than in the conven- 
tional system, the authentication IC card is provided 25 
with high-security means to prevent persons other than 
the authentic transaction user from misappropriating the 
authentication card. Such means include biological 
information of the transaction user, such as a signature, 
a voiceprint, a fingerprint, a palm-print, or an iris, 30 
together with a password having a high degree of flexi- 
bility, thus preventing persons other than the authorized 
user from misappropriating a stolen or picked-up 
authentication IC card directly or after tampering. 
[0081] The authentication IC card also should be 35 
provided with means to inform the user of the identity 
information recorded thereon when the user forgets his 
or her own identity information. Further, there may be 
also a case where the user needs to rewrite or renew 
the identity information. Therefore, others may misap- 40 
propriate the above means to cheat the person in 
charge or act in collusion with the person to misappro- 
priate the identity information illegally obtained. 
[0082] Furthermore, the identity information illegally 
obtained may be used to rewrite the IC card, or to make 45 
a forged authentication card from a new IC card. Such 
criminal conducts are difficult to be fully eliminated. 
[0083] Despite of the high-security characteristics, 
even the authentication IC card finds it difficult to pre- 
vent a person familiar with the system or an insider from so 
evilly falsifying or counterfeiting the authentication IC 
card. 

[0084] To prevent this, an authentication IC card of 
the invention includes a CPU, an authentication file stor- 
ing the identity information or both of the identity infor- 55 
mation and the authentication information, and an 
application file storing job programs or relevant data 
classified according to the depth of authentication. And 



when the application file is accessed from the outside, 
the authentication IC card allows the access as a result 
of truth judgment based on the identity information or 
the authentication information of the authentication file. 
The authentication file in the authentication IC card of 
the invention stores, in addition to the identity informa- 
tion on the authorized user, identity information on a 
second person or authentication information on a sec- 
ond organism. And jobs or data treated by the card are 
predetermined corresponding authentication of the sec- 
ond person or organism to be requested. When the spe- 
cific job or data is requested to be executed or shown, 
the CPU compares identity information or authentica- 
tion information input from the outside with the informa- 
tion in the authentication file, and when the 
authentication is acceptable, execution or showing of 
the specific job or data is allowed. 
[0085] The authentication IC card of the invention 
requires the approval of an authorized second person or 
organism (hereinafter, called the witness) in addition to 
the authorized user of the card for accessing the spe- 
cific job or data. In this case, such a job as to call for 
confirmation of the validity of the authentication IC card 
itself or the validity of the user can be specified for a 
superior level of security. 

[0086] The approval of the witness becomes effec- 
tive only when the witness is authenticated based on 
the identity or authentication information recorded in the 
authentication IC card. 

[0087] For example, one or more witnesses may be 
present at the issue of the authentication IC card so that 
the identity information or authentication information on 
the witnesses can be recorded in the authentication IC 
card together with the information on the user. The user 
of such an authentication IC card is required to obtain 
the approval of the witnesses at the time of disclosure of 
the recorded identity information on the user or renewal 
of the identity or authentication information even if the 
user himself is authenticated. The witness or witnesses 
may be the third party trusted by the user, or someone 
designated by the person in charge of issuing the card, 
or an organism as an institution or organization such as 
the issuer. 

[0088] Such a system requires the approval and the 
authentication of the witness other than the user, or the 
user must pass in authentication together with the wit- 
ness, and this makes it possible not only to prevent oth- 
ers from stealing the identity information for 
misappropriating the authentication IC card, but also to 
prevent others from acting in collusion with the person 
inside to rewrite the identity information. 
[0089] Further, since a superior level of security can 
be set for the authentication based on the reliability 
inherent in the authentication IC card, the security of the 
authentication IC card can be protected even if there is 
no extreme security system in the card issuing station of 
the authentication IC card. Further, ail the personal data 
can be stored in the authentication IC card and no 
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backup data is left in the card issuing station. 
[0090] It is therefore possible to easily establish a 
card issuing system with a high level of confidence. 
[0091] It should be noted that either the CPU in the 
authentication IC card or an external device can judge s 
the authentication. If an external device is used for the 
judgment, the identity information or authentication 
information stored in the authentication file is output to 
the external device via the CPU. Then, when the exter- 
nal device judges the authentication to be acceptable, 10 
access to the application file is allowed through the 
CPU. 

[0092] If the CPU in the card judges the authentica- 
tion, the facilities on the side of the IC-card reader can 
be simplified, and hence the equipment cost at the site is 
can be saved. 

[0093] The use of the external device allows the IC 
card performance simplified. Further, when the identity 
information is shared with a memory device outside of 
the authentication IC card, the card adapts to a system 20 
requiring higher security. 

[0094] The identity information preferably includes 
biological information distinguishing the individuality of 
the proper holder of the authentication IC card. The bio- 
logical information may include a signature, a voiceprint, 25 
a fingerprint, a palm-print, and an iris. It is needless to 
say that a password having a high degree of flexibility 
can be used together with the biological information. 
[0095] Further, transaction logs relating authentica- 
tion of the witness are preferably recorded in the 30 
authentication IC card. 

[0096] Such logs are useful to presume circum- 
stances and causes of the accidents occurred. 
[0097] A user authentication device of the invention 
for authenticating personal identification by means of a 35 
user authentication card includes an authentication- 
card reader for reading out information recorded in the 
user authentication card, an identity acquisition unit for 
obtaining biological individuality data of a user, a judg- 
ment unit for collating the biological individuality data in 40 
the authentication IC card read out by the authentica- 
tion-card reader with the biological individuality data 
obtained on the spot through the identity acquisition unit 
and judging the acceptance, and a display unit for dis- 
playing the judgment result. 45 
[0098] According to the user authentication device 
of the invention, the user who is requested to authenti- 
cate personal identification puts the user authentication 
card in the authentication-card reader, and inputs 
through the identity acquisition unit his or her biological so 
individuality data of the same kind as that recorded in 
the user authentication card. As a result, the judgment 
unit checks the biological individuality data recorded in 
the user authentication card with that obtained by the 
identity acquisition unit and judges whether the check- 55 
ing result is acceptable, while the display unit indicates 
the judgment result. Thus, the person carrying the user 
authentication card can be judged immediately to be a 



proper card holder or not without external communica- 
tion. 

[0099] The user authentication device should be 
equipped with the identity acquisition unit of the same 
type as the biological individuality input device used in 
the user registration station. A device having a function 
to take in handwritten figures may be used as the iden- 
tity acquisition unit. The handwritten figure acquisition 
unit can input the predetermined handwritten figure, 
such as a signature, as digital data and easily compare 
the input figure with the biological individuality data on 
the user authentication card. 

[0100] The user authentication device of the inven- 
tion preferably includes a communication unit for com- 
municating with an outside certification authority, in 
which at least part of the biological individuality data of 
the user input through the identity acquisition unit is sent 
to the outside certification authority so that the user 
authentication device can receive the pass/fail judgment 
result from the certification authority and display the 
result through the display unit. 

[0101] If the user authentication device is con- 
nected to the outside certification authority for hierarchi- 
cal processing of the authentication data, invaders' evil 
access or falsification can be prevented, and this makes 
it possible to offer authentication performance with a 
higher level of security. 

[0102] The user authentication system of the inven- 
tion can be applied to a lock control system. A lock con- 
trol system of the invention uses an IC card as a key 
with personal authentication data of a user recorded 
thereon, in which the identity data input by the user on 
the spot is checked against the personal authentication 
data, and the lock is released when the user has passed 
the authentication check. 

[0103] In the lock control system of the invention, 
the user authorized to use the lock is given a user 
authentication card as a key card formed with an IC 
card storing personal authentication data of the user. 
When undoing the lock, the user presents the key card 
and inputs his or her identity data. The identity data 
input by the user on the spot is checked against the data 
recorded in the key card, and if they match up within an 
acceptable range, the lock is unlocked. 
[0104] Since the lock is never opened when the 
identity data of the accessing person does not match 
with the personal data recorded in the key card, only the 
authorized person can undo the lock. 
[0105] Such a system is to authorize a qualified 
user to open the lock and the key card is used only for 
certificating whether the person carrying the key card is 
qualified or not. In the system, the key card has only a 
part of key functions. 

[0106] Therefore, even if others have picked up, sto- 
len, or duplicated the key card, no one but the qualified 
user can undo the lock, thus enhancing the security of 
lock. 

[0107] Further, since personal information on the 
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user is stored in the key card, the lock device needs nei- 
ther to hold a vast database for storing large amount of 
information related to all the potential users, nor to be 
provided them from the host device through high-speed 
communications. 5 
[0108] However, part of the personal information 
can be stored in the memory device on the lock side to 
be used together with that recorded in the key card for a 
higher level of security. 

[0109] The personal identity data recorded in the w 
key card may be information on the user's living body or 
information data created by the user. Such information 
can further enhance the security of lock. 
[01 10] Furthermore, the key card may record a cer- 
tain personal authentication data selected from plural 15 
kinds of them. 

[0111] If there is such a mechanism as to prevent 
others from identifying the kind of authentication data 
held on the key card, others who try to misappropriate 
the key IC card cannot use stolen cards unless they 20 
know which of a fingerprint, a voiceprint, a signature, a 
password or others is used as the authentication data, 
thereby reducing damage from stolen cards. 
[0112] Furthermore, an access terminal may be 
provided with plural kinds of identity data input means 25 
corresponding to plural kinds of personal authentication 
data so that the user can select one of them. If plural 
kinds of authentication data are selectable, others who 
try to misappropriate the key card need to decide the 
proper type of authentication data used on the key card, 30 
and this improves the security of lock. Of course, the 
plural kinds of personal authentication data may be 
used together in combination so as to prevent the lock 
from being opened unless all the selected data has 
passed the authentication check. 35 
[0113] Furthermore, plural locks may be treated by 
one key card, and the types of personal authentication 
data are selectively applied to the respective locks. 
[0114] in this case, not only the cost can be 
reduced compared to a case where one card is issued 40 
for each lock, but also the number of key cards carried 
by one user can be reduced and the user is released 
from selecting a corresponding card for each lock. 
[0115] Such a key card can also be effective in 
common use for a lock for a door and locks for classified 45 
shelves in a memory. If the memory is furnished with 
shelves different in care level, such as shelves for nor- 
mal medicines and shelves for strong medicines, even 
persons authorized to open only the door of the memory 
may not be allowed to open the shelves for strong med- so 
icines. It is also applicable in such a case where person- 
nel documents and accounting documents are stored in 
the memory but only the persons in charge of each 
department can access each relevant documents. 
[0116] In these cases, an alarm function can be 55 
attached to the system to issue the alarm when a per- 
son other than the qualified persons accesses the place 
or materials, thus improving the security. For this pur- 



pose, sensors for detecting persons' access may be 
provided to the shelves inside the memory. Since the 
sensors do not need to operate upon access by any 
authorized person, the sensor circuitry relating to the 
restricted area for which the authorized person has 
already passed in the personal authentication should be 
controlled not to output the alarm. 
[0117] This system may be configured such that an 
unauthorized person's access is notified in the control 
room and that the door of the memory is shut down to 
prevent the unauthorized person from running away. 
[0118] Further, the lock control system of the inven- 
tion has a function of identify the person individually 
who has accessed the lock, the accumulated access 
data automatically generates an inventory record of the 
memory. 

[0119] The lock control system of the invention can 
also be provided for security of safe boxes storing valu- 
ables. In particular, the application to safe-deposit 
boxes can offer an adequately safe facility for the safe- 
deposit box system even without any witness from the 
management side. Further, users themselves of the 
safe-deposit boxes can determine depth of security 
according to the value of stored things. 

Brief Description of Drawings 

[0120] 

Fig. 1 is a block diagram illustrating a user authen- 
tication system as practiced in an embodiment of 
the invention; Fig. 2 is a perspective view illustrating 
an example of a user authentication device used in 
the embodiment; Fig. 3 is a circuit diagram of the 
use authentication device of the embodiment; Fig. 4 
is a block diagram illustrating the first and second 
examples of configurations of an user authentica- 
tion card used in the embodiment; Fig. 5 is a flow- 
chart illustrating the process of issuing the user 
authentication card in the embodiment; Fig. 6 is a 
flowchart illustrating the process of authentication 
at an access terminal in the embodiment; Fig. 7 is a 
block diagram of the third embodiment of an 
authentication IC card according to the invention; 
Fig. 8 is a block diagram illustrating the structure of 
files in the authentication IC card of the third 
embodiment; Fig. 9 is a block diagram illustrating 
an example of usage of the authentication IC card 
of the third embodiment; Fig. 10 is a flowchart illus- 
trating the usage of the authentication IC card of the 
third embodiment; Fig 11 is a block diagram illus- 
trating a configuration of an authentication IC card 
as practiced in the fourth embodiment of the inven- 
tion; Fig. 12 is a flowchart illustrating the process of 
issuing the authentication IC card of the fourth 
embodiment; Fig. 13 is a flowchart illustrating the 
process of reading out identity information recorded 
in the authentication IC card of the fourth embodi- 
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ment; Fig. 14 is a flowchart illustrating the process 
of rewriting or renewing the identity information 
recorded in the authentication IC card of the fourth 
embodiment; Fig. 15 is a block diagram illustrating 
the first embodiment of a lock control system 5 
according to the invention; and Fig. 16 is a block 
diagram illustrating the second embodiment of a 
lock control system according to the invention. 

Best Mode for Carrying Out the Invention 10 

[0121] Embodiments of the invention will be 
described with reference to the appended drawings. 
[0122] As shown in Fig. 1, the user authentication 
system of the invention is of hierarchical structure in 15 
which an authorized registration authority, certification 
authorities, and authentication access terminals are 
arranged hierarchically. 

[0123] The authorized registration authority or the 
policy registration authority (PRA) 1 supervises the 20 
entire authentication network and issues certificates of 
commission of partial power to a plurality of intermedi- 
ate certification authorities or policy certification author- 
ities (PCA) 2 as licensees. The policy certification 
authorities given the power then issues certificates of 25 
commission of partial power to a plurality of end certifi- 
cation authorities (CA) 3 as sub-licensees. 
[0124] The end certification authorities (CA) 3 act 
as go-betweens in connecting authentication access 
terminals (TM) 4 as clients who make use of user 30 
authentication, and users 8 who enjoy services offered 
by the clients. In the following description, access to var- 
ious services may be called "transaction." 
[0125] The authorized or policy registration author- 
ity (PRA) 1 is provided with a memory 1 1 removable 35 
from the main equipment, while the policy certification 
authorities (PCA) 2 and the end certification authorities 
(CA) 3 are provided with memories 21, 31 connected to 
respective equipments at all times. 

[0126] These facilities are connected with each 40 
other through dedicated lines or public lines, so that 
information can be exchanged at any time. The connec- 
tions may be made via the intranet or the internet. In 
exchanging information through the communication 
lines, it is preferable to ensure security through an 45 
encryption system using public keys or common or sym- 
metric keys. 

[01 27] The policy certification authorities (PCA) can 
be eliminated from the user authentication system. 
Reversely, the policy certification authorities (PCA) can so 
be provided over plural levels to increase the depths of 
the hierarchy to more than three. 
[0128] The policy registration authority (PRA), the 
policy certification authority (PCA), and the end certifi- 
cation authority (CA) may also be replaced by an institu- 55 
tion which integrates all the functions. 
[0129] The end certification authorities (CA) 3 are 
generally empowered by the policy registration authority 



(PRA) or an upper certification authority (PCA) to exe- 
cute authentication in a limited region such as a public 
administrative agency, a medical institution, a specific 
company, an apartment building, a mall, and the like. 
[0130] The end certification authority (CA) is con- 
nected to authentication access terminals (TM) which 
belong to the limited region and use the authentication. 
[0131] The authentication access terminals (TM) 
may represent a window of a government office, a divi- 
sion reception desk or pharmacy reception desk in a 
hospital, a door in a laboratory or office, an information 
tool accessing a database to be protected, an apart- 
ment entrance or an apartment door, a remote control 
device for indoor utilities, a member-only club facility, a 
checkout counter at each store in a mall or in a large 
retail store such as a department store, a window in a 
monetary facility such as a bank, an automatic teller 
machine, and so on. 

[0132] In particular, it is considered that user 
authentication will be more important in the field of 
direct marketing hereafter. In this case, the authentica- 
tion access terminal 4 may be placed in home of each 
user 8. 

[0133] The end certification authority (CA) 3 author- 
izes a user registering station (RG) 5 to receive a regis- 
tration application from a user 8 who wants to be a 
consumer of an authentication access terminal (TM) 4, 
and authorizes an authentication-card issuing station 
(IS) 6 to issue user authentication cards 7. 
[0134] The user registering station (RG) 5 is fur- 
nished with an input device 51 for obtaining biological 
individuality data. This embodiment uses an on-line 
handwritten-figure input device with a tablet and a pen. 
The on-line handwritten-figure input device input hand- 
writing of a user with the process of writing for graphic 
recognition, so that, when letters are input, the informa- 
tion on direction and order of each stroke of letters can 
easily be obtained. 

[0135] When a voiceprint is used as means of cap- 
turing the biological individuality, a microphone 52 is 
equipped for input user's voice. Any other device, such 
as a fingerprint or palm-print input device, or a device for 
observing a pupil to take in an iris or retina pattern, can 
also be provided. 

[0136] The use of a plurality of personal identifica- 
tion means makes the authentication more securely. 
[0137] The authentication-card issuing station (IS) 
6 is furnished with an authentication-card issuing device 
61. The authentication-card issuing device 61 writes the 
information to be used for user identification in a user 
authentication card 7 and issues the authentication card 
to the user 8. In this embodiment, the user authentica- 
tion system uses an IC card as the user authentication 
card. However, any other recording medium can be 
used as long as it is available for write and read opera- 
tions, i.e., any other electronic recording medium can be 
used, such as a magnetic recording medium including a 
CD-ROM, a floppy disk, and a magnetic card, or a mag- 
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neto-optic recording medium. 

[0138] The authentication access terminal (TM) 4 is 
furnished with a user authenticating device 41 that 
examines genuineness of the user authentication card 7 
carried by the user 8 and authenticate the user 8. 
[0139] Figs. 2 and 3 show an example of a configu- 
ration of the user authenticating device 41 . 
[0140] Arranged on the front panel of the user 
authenticating device 41 are an input/output unit 401 
with a slot for inserting an authentication card 7, which 
exchanges information with a memory area of the 
inserted authentication card 7; an authentication-level 
specifying unit 402 that specifies the depth of authenti- 
cation required for the current transaction; a personal 
identity input unit 403 that takes in a biological individu- 
ality data of the user; and an authentication display 404 
that displays the authentication result. 
[0141] The personal identity input unit 403 is the 
same as the biological individuality input device 51 used 
at the user registering station (RG) 5. If the voiceprint is 
used together in user authentication, a microphone 42, 
of course, needs to be provided to the user authenticat- 
ing device 41 of the authentication access terminal (TM) 
4. The personal identity input unit 403 is thus equipped 
with respective input means corresponding to types of 
the biological individualities to be used. 
[0142] Electronic circuitry 410 is incorporated 
inside the user authentication device 41; it acts to 
organically combine the functions of these units for user 
authentication. 

[0143] The electronic circuitry 410 includes an 
authentication card read/write control part 411, an iden- 
tity information converting part 412, a judgment part 
413, and a communication part 414. 
[0144] The authentication card read/write control 
part 41 1 has the functions to read the contents of infor- 
mation recorded in the authentication card through the 
input/output unit 401, to decode the encrypted digital 
data, and to record the transaction results onto the 
authentication card as well. 

[0145] The identity information converting part 412 
converts the biological individuality data taken in by the 
personal identity input unit 403 to digital data. 
[0146] The judgment part 413 takes in output infor- 
mation from the authentication card read/write control 
part 411, the identity information converting part 412 
and the authentication-level specifying unit 402, authen- 
ticates user identification according to the level of 
required authentication based on those output informa- 
tion added with information exchanged with the certifi- 
cation authorities through the communication part 414, 
and indicates the authentication result through the 
authentication display 404. 

[0147] When the user is authenticated and a trans- 
action is established, then the transaction result is input 
from a transaction-detail input unit 420 and the transac- 
tion details are displayed on a transaction display 421, 
so that the user 8 can confirm the transaction details. 



The transaction details are also recorded in a memory 
422. 

[0148] The judgment part 413 may be designed to 
automatically send the user authentication result to the 

5 transaction-detail input unit 420 so that the transaction 
may be determined to be accepted or refused. 
[0149] Further, the transaction details or transac- 
tion history may be recorded in the user authentication 
card 7 by inputting the transaction information via the 

10 transaction-detail input unit 420. 

[0150] As an example, when the user authentica- 
tion card 7 is used for settlement purpose, the purchas- 
ing date, purchased product names, and their prices 
can be recorded, and those make it easy for the user to 

15 confirm the transaction at payment. When the card used 
for administrative services, information related to vari- 
ous certificates or identification papers such as health 
insurance card, driver's license, medical record and cer- 
tificate of residence, can be received and stored in the 

20 user authentication card 7. 

[0151] Privacy of the user can be protected by 
requiring user authentication anytime when a person 
reads the contents recorded in the user authentication 
card 7 so that any access by all but the user concerned 

25 shall be prohibited. 

[0152] In addition to the biological individuality data 
used for normal authentication, other unique informa- 
tion that is effective only in special cases may be used 
together. For example, in a case where a user is com- 

30 pelled to put his or her signature under the threat of a 
robber or duressor, the user can secretly add a hidden 
symbol or sign in his or her authentic signature to notify 
a security firm of the emergency situation while normal 
transactions are taking place such as opening a door or 

35 withdrawing cash, so that the security officers can take 
appropriate action such as to arrest the criminal as soon 
as the safety of the user is ensured. 
[0153] Such biological individuality data as to use 
for special purposes may be combined data of plural dif- 

40 ferent types such as twice coughs at the time of signa- 
ture. 

[0154] Fig. 4 is a block diagram illustrating internal 
arrangements of the user authentication card 7 made of 
an IC card. 

45 [0155] The user authentication card 7 as practiced 
in the embodiment is a composite-type IC card provided 
with a contact type connector transmitting electric sig- 
nals through a terminal 71 and a non-contact type con- 
nector establishing communication by means of 

so electrostatic coupling or electromagnetic induction with- 
out contact between an electrode 73 in the card and an 
electrode inside the authentication card read/write con- 
trol unit. The user authentication card 7 is designed in 
consideration of a case where plural card issuers place 

55 a commonly usable terminal, respectively, for a single 
common card to be openly used by its carrier for 
respective issuers. The IC card, however, may be pro- 
vided with either one of the connectors. 



12 



23 EP 1 085 

[0156] The terminal 71 is connected to a connec- 
tion circuit 72; the non-contact type electrode 73 is con- 
nected to a communication control circuit 74. Both are 
coupled with built-in memories. 

[0157] The user authentication card 7 also includes 5 
a CPU 75 and memories comprising of a random 
access memory RAM 76, a read-only memory ROM 77, 
an electrically-writable, programmable read-only mem- 
ory PROM 78, and an electrically-erasable, program- 
mable read-only memory EEPROM 79. These are w 
connected with each other through a bus. 
[0158] The connection circuit 72, the communica- 
tion control circuit 74, the CPU 75 and the memories 
can be mounted on a single IC chip. 
[0159] Upon insertion of the user authentication is 
card 7, the authentication card read/write control unit 
411 accesses the memories of the user authentication 
card 7 either from the terminal 71 through the connec- 
tion circuit 72, or from the non-contact electrode 73 
through the communication control circuit 74. 20 
[0160] The PROM 78 stores card authentication 
data for examining the authenticity of the authentication 
card concerned and an ID of issuer that has issued the 
user authentication card upon approval, and the like. 
The data once written in the PROM 78 cannot be 25 
renewed. 

[0161] The EEPROM 79 stores biological individu- 
ality data for use in authenticating user identification 
and the record of transactions executed using the 
authentication card. The ROM 77 stores programs for 30 
control of the CPU 75 to execute encryption and decryp- 
tion, control of data input/output, examination of the 
authenticity of the user authentication device 41 , and so 
on. The RAM 76 temporarily stores data taken from the 
outside and data needed in the computing process, and 35 
so on. 

[0162] Unused user authentication cards 7 are dis- 
tributed to each authentication-card issuing station 6 on 
the condition that correct card certificate information 
has been written in the PROM 78 at the authorized or 40 
policy registration authority 1 to prove that the authenti- 
cation cards are genuine cards available in the authen- 
tication system. Therefore, all the authentication-card 
issuing station 6 has to do is to write in part of biological 
individuality data of the user in the EEPROM 79 in 45 
accordance with instructions by the authorized registra- 
tion authority 1 . In this regard, the writing function of the 
PROM 78 may be omitted from the authentication-card 
issuing device to prevent the card from being falsified. 
[0163] The authentication card is not limited to the so 
arrangement or allotment of the memories as practiced 
in the embodiment. For example, the biological individu- 
ality data for use in authenticating personal identifica- 
tion may be stored in the PROM 78 or RAM 76. 
[0164] The following section describes, along with 55 
Fig. 5, an example of the process of issuing a user 
authentication card. 

[0165] The user registering station 5 accepts a reg- 
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istration application from a user 8 who wants to receive 
services at authentication access terminals within the 
territory of the user registering station 5 (S1 1). The user 
registering station 5 gathers information indicative of 
biological individualities of the user, and if necessary, 
information for use in pre-qualifying the user 8 (S12). 
The biological individuality data used here are charac- 
ters unique to the user's living body; they should be 
selected for characteristics through which the user can 
be distinguished from others in disguise or in imitation of 
the user. 

[0166] In the embodiment, handwriting is used for 
identifying the user. Although any figure is possible, if 
the user 8 inputs different figures every time, it would be 
inconvenient to authenticate personal identification. It is 
therefore desirable for the user to put his or her own sig- 
nature so as to secure the reproducibility. In addition to 
the handwriting, the use of plural biological individuality 
data can improve the security of authentication, and 
hence, the auxiliary microphone 42 is provided here for 
acquiring voiceprints. 

[0167] The qualification information and the biologi- 
cal individuality data of the applicant, both gathered at 
the user registering station 5, are then transmitted to the 
authorized registration authority 1 (S13). 
[0168] The authorized registration authority 1 pre- 
qualifies the applicant based on the information from the 
user registering station 5, and permits the issue of an 
authentication card to the applicant who has passed in 
the pre-qualification (S14). The qualified conditions 
depend on the target services for which the user 
requests the authentication. In this regard, the end cer- 
tification authority 3 that actually accepts the user may 
examine the qualification of the user. 
[0169] The authorized registration authority 1 
divides the biological individuality data of the registered 
user 8 hierarchically into data parts according to prede- 
termined proportions, decides the parts to be assigned 
to the user authentication card 7 and the certification 
authorities 2, 3, respectively, and distributes them to 
each place (S1 5). 

[0170] The biological individuality data distributed 
from the authorized registration authority 1 to each 
place is to be accessed based on the authentication 
accuracy required by the authentication access terminal 
4. If the authentication access terminal 4 requires the 
least-level of authenticity, the authentication needs only 
the checking result of the authentication device 41 of the 
authentication access terminal 4. If a medium-level of 
authenticity is required, the user is to be authenticated 
based on the checking result of the authentication 
device 41 plus the information stored at the end certifi- 
cation authority 3. If the highest-level of authenticity is 
required, all the biological individuality data distributed 
to all the different places should be integrated for the 
judgment. 

[0171] The user authentication system of the inven- 
tion is constituted such that further authentication by the 
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upper authorities based on the biological individuality 
data can be requested only when the authenticity has 
examined and passed at the authentication access ter- 
minal. The upper authorities execute authentication 
based on the information except included inside the 5 
user authentication card. 

[0172] Therefore, the user authentication card 7 
needs to be distributed with information enough for cer- 
tification with a degree of accuracy by comparing with 
biological individuality data input by the user at the spot w 
so that the user can be judged to be authentic. 
[0173] In this embodiment, 60 % of information is 
assigned to the user authentication card 7, 30 % to the 
end certification authority 3, and the rest of 10 % to the 
intermediate authority 2. Such a gradual decrease of 15 
information amount can not only save the memory 
capacities at the upper authorities, but reduce load time 
for each authentication as well, thereby improving infor- 
mation protecting performance throughout the entire 
system. 2 o 
[0174J. It should be noted that it is desirable for the 
user authentication card 7 to hold a relatively high per- 
centage of biological individuality data so as to prevent 
excess amount of information from being transmitted to 
the upper authorities upon request to execute a higher- 25 
level of authentication. 

[0175] On the contrary, excess percentage of infor- 
mation to be assigned to the user authentication card 7 
may lower the reliability of user authentication. 
[0176] It is therefore essential to distribute the bio- 30 
logical individuality data in dividing proportions adapted 
to each practical conditions in consideration of number 
of user accesses, required level of authentication secu- 
rity, and so forth. 

[0177] Information may be divided such that all the 35 
digitized data is divided physically in predetermined pro- 
portions, or divided on the step-by-step basis. For 
example, information of handwriting may be divided into 
information related to a final figure of handwriting, infor- 
mation related to stroke on the way of writing, and infor- 40 
mation on the stroke order. Any biological individuality 
data can be divided for use in each related spot, for 
example, a voiceprint can be divided by frequency 
band, or a fingerprint can be divided by finger. 
[0178] In the case a plural types of biological indi- 45 
viduality data such as handwriting and a voiceprint are 
extracted, the biological individuality data may be dis- 
tributed by type. 

[0179] The authorized registration authority 1 
stores information related to the authentication card and so 
the user in a large-capacity memory means 1 1 remova- 
ble from the main device, such as a magnetic tape, a 
CD-ROM, a magneto-optical disk, a DVD, or a remova- 
ble hard disk (S16), and upon receipt of a request from 
a lower authority, a person in charge inserts the mem- 55 
ory means into a driver in order to check the registered 
information. 

[01 80] At the authorized registration authority 1 , the 



removable recording medium 11 is stored by separating 
it from an external communication network when it is not 
in use so as to prevent violence or falsification of 
records. 

[0181] The certification authorities 2, 3 stores dis- 
tributed part of the biological individuality data of individ- 
uals into the memories 21, 31, respectively, and reads 
out it on demand. 

[0182] The authentication-card issuing station 6 
records the part of biological individuality data of the 
registered applicant distributed by the authorized regis- 
tration authority 1 in a user authentication card 7 which 
records its own card authentication code, and issues 
the card 7 to the user 8 (S17). 

[0183] A plurality of user registering stations (RG) 5 
and authentication-card issuing stations (IS) 6 can 
belong to a single end certification authorities (CA) 3. 
[0184] Further, since the user 8 is required to go to 
the user registering station 5 and input his or her biolog- 
ical individuality data, the authentication-card issuing 
station 6 for issuing the card to the user 8 is convenient 
for the users if it locates at the same location as the user 
registering station 5. 

[0185] It may also be useful to have a reliable wit- 
ness to identify the user 8. But it is hard for any mecha- 
nism to exclude a person pretending to be another 
person from the beginning. 

[0186] Further, the authentication card is not neces- 
sarily issued immediately after the registration proce- 
dures, and it may be mailed later to the user's address 
in order to confirm the facts the user has declared. 
[0187] Furthermore, the user registering station 
(RG) 5 and the authentication-card issuing station (IS) 6 
may belong to the authorized registration authority 
(PRA)1. 

[0188] Furthermore, an issuer can conduct registra- 
tion/issue procedures at any place if the issuer carries a 
portable terminal having the same functions as those 
provided at the user registering station (RG) 5 and the 
authentication-card issuing station (IS) 6. The use of 
such a portable terminal should be restricted to only the 
issuers who have, been authentically licensed by the 
authorized registration authority (PRA). Even in this 
case, the issuer is never permitted to use the portable 
terminal without passing in strict examination and 
receiving a certificate of issuer. 
[0189] The following section describes, along with 
Fig. 6, an example of the process of authenticating user 
identification using a user authentication card 7 at an 
authentication access terminal 4. 
[0190] When a user 8 presents his or her user 
authentication card 7 and applies to a transaction at an 
authentication access terminal 4, the user authentica- 
tion card 7 is inserted into the card slot (input/output 
unit) 401 of the authentication device 41 of the authenti- 
cation access terminal 4 to read out the authentication 
information from the user authentication card 7. The 
authentication information includes information for con- 
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firming the authenticity of the card and biological indi- 
viduality data for use in authenticating user 
identification. 

[0191] At the authentication access terminal 4, the 
card is authenticated first (S21). The card authentica- 5 
tion confirms that the user authentication card 7 is 
authentic, i.e., that the card is adapted to the user 
authentication system for use at the authentication 
access terminal 4, and that the person is the authentic 
holder of the card. If the user authentication card 7 is not 10 
adapted to the authentication system, any transaction 
will not be accepted at the authentication access termi- 
nal 4 from the very first. 

[0192] It should be noted that, in order to confirm 
that the user authentication card 7 is not accessed by is 
an unauthorized device, there may be provided a mech- 
anism in which a program in the user authentication 
card 7 verifies whether the authentication device 41 is 
qualified to the authentication card itself, and if the 
device is not proper, the authentication card rejects the 20 
disclosure of the stored contents. 
[0193] When the user authentication card 7 has 
passed in the authentication, the user 8 is then required 
to show the same biological individuality as the user 
deposited when obtaining the user authentication card 25 
7, e.g., to put his or her signature on the tablet (personal 
identity input unit) 403 (S22). 

[0194] The biological individuality data input from 
the tablet 403 is checked against the biological individu- 
ality data recorded in the user authentication card 7, 30 
which is, for example, 60 % of the biological individuality 
data of the user, and the user 8 at the window is judged 
to be the authentic holder of the user authentication 
card 7 or not (S23). The user authentication result is dis- 
played on the display 404 (S24). 35 
[0195] The subsequent procedures at the authenti- 
cation access terminal 4 vary according to whether the 
user has been authenticated or not (S25). If the user 
authentication is negative, the authentication access 
terminal 4 will reject any transaction (S33). If the user 40 
authentication is affirmative, it is checked whether or not 
further on-line authentication is to be requested from 
upper authentication institutions (S26). If no on-line 
authentication is needed, the authentication access ter- 
minal 4 may accept the transaction applied by the user as 
8 at once (S32). 

[0196] The presence or absence of request and the 
depth of the request for the on-line authentication may 
be input by an operator or the user 8 with the authenti- 
cation-level specifying unit 402 at every transaction, or so 
may be automatically set based on nature of the trans- 
action or the transaction money. 
[0197] If the on-line authentication is needed, a 
request for a certain level of authentication is sent to the 
end certification authority 3, together with the informa- 55 
tion of the user authentication card 7 and the personal 
identity information obtained at the personal identity 
input unit 403 (S27). The personal identity information 



to be sent can be a part, for example, 40 % of the per- 
sonal identity information, exclusive of the part used at 
the authentication access terminal 4, so that the quan- 
tity of information exchanged between the authentica- 
tion access terminal 4 and the end certification authority 
3 can be reduced. 

[0198] The necessity of the on-line authentication 
should be determined according to the level of security 
required based on the nature of the transaction. Specif- 
ically, commercial transactions about highly realizable 
goods or expensive goods, disclosure of personal infor- 
mation, and something like that require secure authenti- 
cation; such transactions should request user 
authentication of upper authorities. 
[0199] The depth of on-line authentication may also 
be specified by the nature of the authentication access 
terminal 4. For example, at a hospital reception desk, a 
high level of authentication of personal identification 
may often be required to protect a person's privacy and 
insure accurate medical treatment. Especially, in case 
of telecommuting medical treatment, it is preferable to 
request user authentication from the upper authorities. 
[0200] The information sent to the end certification 
authority 3 is checked with the identity information char- 
acteristic of the user 8, the identity information stored in 
the memory 31 (S28), and the authentication results are 
forwarded to the authentication access terminal 4 (S29). 
[0201] Since the end certification authority 3 has 
only the record for 30 % of the identity information on 
the user, if the user authentication at the end certifica- 
tion authority 3 is insufficient, further user authentication 
will be requested from the policy certification authority 
2. Since the policy certification authority 2 has only the 
record for 10 % of the identity information on each user, 
the policy certification authority 3 uses 10 % of the iden- 
tity information obtained at the authentication access 
terminal 4, so that the information to be sent from the 
end certification authority 3 to the policy certification 
authority 2 can be vastly reduced. 
[0202] The user authentication results of the policy 
certification authority 2 are sent back to the authentica- 
tion access terminal 4 through the end certification 
authority 3. 

[0203] The user authentication results of all the 
authenticating facilities are integrated into a resultant 
total output and displayed on the authentication display 
404. If the total result satisfies the user authentication, 
the transaction is accepted (S32), and if not satisfy, the 
transaction is rejected (S33). 

[0204] When the user authentication is denied, 
there is a possibility of any fraud such as the falsification 
of records or disguise of the user. In this case, it is pref- 
erable to send the information to the authorized regis- 
tration authority 1 and to analyze the troublesome and 
its cause. 

[0205] Since the authorized registration authority 1 
stores protected records that is difficult to invade or fal- 
sify from the outside, the records of the authorized reg- 
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istration authority can be compared with the data input 
at the authentication access terminal 4 to make it clear 
where the abnormal conditions occurred among the 
user authentication card 7, the end certification author- 
ity 3, and the policy certification authority 2. 5 
[0206] If the contents of the user authentication 
card 7 do not match with the information input by the 
user 8, it should be considered that the user authentica- 
tion card 7 got into wrong hands, such as a case where 
another person who is not the authentic user picked up w 
or robbed the user authentication card 7, or where the 
data of the user authentication card was rewritten by 
unauthorized access. 

[0207] The following section describes a second 
embodiment of a user authentication system according 15 
to the invention. 

[0208] The user authentication system as practiced 
in the second embodiment differs from the first embodi- 
ment only in that the user authentication card has an 
operation function to check the biological individuality 20 
data of the user with the identity information recorded 
thereon, in stead of the use of the logical arithmetic unit 
provided at the authentication access terminal to check 
the biological individuality data input from the personal 
identity input unit with the biological individuality data 25. 
recorded in the user authentication card. Referring here 
to the same drawings as used for describing the first 
embodiment, only the different portions from the first 
embodiment are described. 

[0209] On an IC card used here as the user authen- 30 
tication card 7, certain elements such as the CPU 75 
and RAM 76 can be mounted to have a certain opera- 
tion function. 

[0210] In the system of the embodiment, a user 8 
who wants to receive services at an authentication 35 
access terminal 4 inputs his or her own biological indi- 
viduality data through the user authenticating device 41 . 
The biological individuality data are then processed 
accordingly, converted into digitized form, and sent to 
the user authentication card 7. ao 
[0211] The user authentication card 7 stores the 
input information data into the RAM 76 temporarily. The 
CPU 75 then reads out the biological information data of 
the authorized user from the EEPROM 79, and com- 
pares the information data temporarily stored in the 45 
RAM 76 with the information data read out from the 
EEPROM 79. If the comparison shows that all the points 
of similarity between either information data are within 
an acceptable range, the person asking for services at 
the authentication access terminal 4 is authenticated as 50 
the true holder of the user authentication card 7, and the 
authentication access terminal 4 is notified of the 
acceptance. If the person has not passed in the authen- 
tication, the authentication access terminal 4 is notified 
of the refusal. 55 
[0212] After accepting the user authentication result 
from the user authentication card 7, the authentication 
access terminal 4 offers desired services to the user 8. 



If more careful authentication is needed, the authentica- 
tion access terminal 4 inquires the end certification 
authority 3 or the policy certification authority 2 to fur- 
ther authenticate the person in accordance with the 
authentication results from the upper authorities. It 
should be noted that the authentication access terminal 
4 may be combined with the end certification authority 
3. 

[0213] Although the proportions of biological infor- 
mation data distribution among related spots can be 
determined arbitrarily, it is advantageous to allocate a 
higher percentage of biological information data for 
lower-level authentication as shown in the first embodi- 
ment. This makes it possible to reduce a communication 
load of the entire system, and hence to improve the sys- 
tem operability. It is therefore preferable to allocate the 
user authentication card 7 more than 60 % of the biolog- 
ical information data. 

[0214] In the embodiment, the system makes use of 
an intelligent IC card as the user authentication card 7 
not only to reduce the calculation load of the user 
authenticating device 41, but to decrease the device 
cost as well. Therefore, the smaller cost for preparing 
the facilities at the authentication access terminal 4 low- 
ers barriers for clients to join the system, thereby 
enhancing the availability. 

[0215] Further, since all the information processing 
is completed inside the user authentication card, the 
authentication card can be provided with a readout pro- 
hibited area for recording important information as 
authentication data which prohibits any outside parties 
from access. This makes it possible to prevent secret 
information from leaking, and hence to improve security. 
[0216] A third embodiment of a user authentication 
card for use in the user authentication system of the 
invention is an authentication IC card using an IC card 
as shown in Fig. 7. In the embodiment, information 
stored in the IC card is offered only when the IC card 
has passed in all the required levels of authentication. In 
this case, the authentication IC card may store 100 % of 
the authentication information and the user may not use 
any upper certification authorities. 
[0217] In the embodiment, the authentication IC 
card includes a CPU 101 for information processing, a 
ROM 102 for storing an information processing pro- 
gram, a RAM 103 for storing operation data, a data 
memory 104 capable of writing and reading information, 
an interface 105 for an applet program, an external con- 
nection circuit 106, and an external connecting terminal 
107. 

[0218] As shown in Fig. 8, files in the data memory 
104 include an authentication file 110 storing authenti- 
cation data and an application file 120 storing informa- 
tion exchanged with the outside. 
[0219] The external terminal 107, used for signal 
transmission and power supply, may be a non-contact 
type electrode or antenna. Alternatively, both of the con- 
tact type and non-contact type terminals may be pro- 
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vided for supporting various kinds of card readers. 
[0220] The applet interface 105 accepts a small 
program (applet) from the outside and operates the 
CPU according to the program. The interface has a 
function to recognize that the accepted applet is harm* s 
less to the authentication IC card. 
[0221] The authentication IC card may accept no 
applet for safety sake. In this case, the applet interface 
105 does not need to be provided in the authentication 
IC card. 10 
[0222] Stored in the authentication file are personal 
identity information for use in recognizing the authentic 
holder of the authentication IC card as well as the data 
for proving the authentication IC card to be authentic. 
Plural levels of authentication data are recorded in the 15 
order of steps I, II, III ... from the simplest to the highest 
level authentication step. The identity information pref- 
erably includes personal secret information and biologi- 
cal information difficult for others to reproduce, such as 
a password, a fingerprint, a voiceprint, a portrait, and a 20 
handwritten signature. 

[0223] The application file 120 is divided according 
to the first classification related to information types and 
the second classification related to authentication lev- 
els. The first classification includes subclasses a, b, c 25 
in which the information is normally classified according 
to the types of institutions offering authentication serv- 
ices, such as housing management information, medi- 
cal information, financial information, and 
communication information. The second classification 30 
includes subclasses I, II, Hi .... in which the authentica- 
tion information is classified according to the required 
levels of authentication, i.e., according to the depths of 
authentication, ranging from a case where a person is 
allowed to access by the easiest authentication to a 35 
case where the access is allowed only when the person 
has passed in such high-level authentication as to iden- 
tify the person based on his or her fingerprint. 
[0224] For example, a series of relevant information 
are recorded as follows: information sent from building 40 
management companies is stored in section b of the 
first classification; codes to permit entry to apartment 
buildings are in Class I file; codes to open or close clos- 
ets are in section II of the second classification; and 
codes to open doors of individual apartments are in the 45 
file of the section III of the second classification. 
[0225] These files may also record keys of codes, 
electronic certificates, and so on. 
[0226] In this case, a card reader is installed in each 
entrance of apartment buildings. When getting in the so 
apartment building, tenants have to get their authentica- 
tion IC card read in by the card reader. The tenants are 
allowed to enter the apartment building when the IC 
cards are judged to be authentic as a result of mutual 
checking between the card and the card reader. Since 55 
each apartment in the building has a strictly locked door, 
the tenants are permitted to enter the building merely 
through an easy authentication step to authenticate the 



authentication IC card only. 

[0227] The authentication IC card has a function to 
confirm the authenticity of the card reader. It is essential 
to prevent an unauthorized card reader from stealing 
secret information written in the authentication IC card 
or from rewriting the information contents. 
[0228] Fig. 9 is a block diagram illustrating typical 
application of the authentication IC card to housing 
management. 

[0229] Each apartment door 1 30 is furnished with a 
door open/close control unit 131 which prevents the 
door 130 from manual opening. The door open/close 
control unit 131 is connected to an authentication con- 
trol unit 132; the door open/close control unit 131 opens 
or closes the door 130 in response to a control signal 
from the authentication control unit 132. The authentica- 
tion control unit 132 is connected to an identity informa- 
tion input unit 133 and a card reader 134. 
[0230] The following section describes, along with 
the flowchart of Fig. 10, the information processing with 
the authentication IC card. 

[0231] When getting in user's apartment, a card 
user insets his or her authentication IC card 135 into the 
card reader 134 (S41). The authentication control unit 
132 sends a reader ID to the authentication IC card 135 
and inquires the card ID from the authentication IC card 
(S42). The authentication IC card 135 examines the 
reader by checking the reader ID with information in the 
authentication file, and if it confirmed that the reader is 
permitted to deal with the card itself (S43), the card ID 
recorded in the authentication file is forwarded to the 
card reader 134 (S44). These processing steps are all 
performed via the CPU; the card reader 134 cannot 
access the memory in the authentication IC card her- 
eon. 

[0232] The authentication control unit 132 then 
judges whether the ID of the authentication IC card is 
authentic and acceptable to the system (S45). When 
the card is judged net to be acceptable, the unit eject 
the card and refuse it (S50). If judged the card to be 
acceptable, the authentication control unit 132 requires 
the user to input a personal identification, such as a fin- 
gerprint, predetermined based on the authentication 
level, reads out the information input by the user from 
the identity information input unit 133 (S46), and 
extracts necessary information from all the input infor- 
mation to create identity information (S47). 
[0233] Then, the authentication control unit 132 
determines whether the authentication IC card or the 
door open/close control unit confirms the authenticity of 
the identity information (S48). If it is predetermined that 
the authenticity is confirmed by the authentication IC 
card 135, the authentication control unit 132 sends the 
identity information to the authentication IC card 135, 
and inquires a door opening code from the authentica- 
tion IC card 135 (S49). 

[0234] The authentication IC card 135 checks the 
received identity information with the identity informa- 



17 



33 



EP1 085 424 A1 



34 



tion stored in the authentication file (S50). If both accord 
each other, the authentication IC card 135 sends the 
door opening code recorded in a predetermined appli- 
cation file (e.g., b III file), to the authentication control 
unit 132 through the card reader 134 (S51). 5 
[0235] On the contrary, if the authenticity of the 
identity information is to be confirmed by the door 
open/close control unit, the authentication control unit 
132 inquires the identity information from the authenti- 
cation IC card 135 (S52), and checks the identity infor- 10 
mation sent from the authentication IC card 135 against 
the identity information of the user obtained on the spot 
(S54). If the checking result is acceptable, authentica- 
tion control unit 132 inquires the door opening code 
from the authentication IC card 135 (S55). In response 15 
to the inquiry, the authentication IC card 135 sends the 
door opening code recorded in the predetermined appli- 
cation file, to the authentication control unit 132 (S51). 
[0236] If the door opening code thus received is 
authentic (S56), the authentication control unit 132 20 
sends the door open/close control unit 131 a door open- 
ing-instruction signal (S57) to unlock the door 130 (S58) 
so that the holder of the authentication IC card can get 
in (S59). 

[0237] The identity information may be divided 25 
between the authentication IC card 135 and the authen- 
tication control unit 132 so that the memory area of the 
data memory 104 in the authentication IC card 135 can 
be reduced. In this case, the door opening code is deliv- 
ered after checking the identity information input from 30 
the identity input unit against the identity information 
dividedly stored in the authentication IC 135 card and 
the authentication control unit 132. The dividing of the 
identity information between the authentication IC card 
135 and the authentication control unit 132 is effective 35 
not only in memory economy, but also in security meas- 
ures because others cannot be certificated by the iden- 
tity information stolen from the authentication file of the 
authentication IC card. 

[0238] In the above example, the identity informa- ao 
tion stored in the authentication file is used in three 
steps, but the number of steps may be arbitrarily 
selected. The identity information may include from the 
easiest step of information as an ID number written in by 
the card issuer, to passwords given by the card holder, 45 
information on the living body such as a fingerprint, an 
iris, and a portrait of the holder, dynamic information 
such as a signature input by the holder on the spot, and 
high-level composite information made up of a combina- 
tion of the above kinds of information. 50 
[0239] The biological information shows hard-to- 
duplicate features because the authentic holder has it 
biologically on the living body, but the information data 
itself can be duplicated to misappropriate. In contrast, 
the dynamic information accompanied with person's 55 
movement on the spot makes it more difficult for others 
to imitate, thereby improving reliability of the authentica- 
tion. 



[0240] The identity information input unit must 
include various functional parts for obtaining information 
depending on the kinds of identity information to be 
used, for example, a graphic input part for signatures, a 
keyboard for passwords, a fingerprint acquisition part 
for fingerprints, a judging part with a camera for taking 
pictures of pupils in case of using iris patterns. 
[0241] It may also be necessary for the holders 
themselves to specify the depth of authentication in 
such cases as to access the individual information 
stored in the IC card, or to ask for disclosure of medical 
records at a hospital. For example, if a holder want to 
use different depth of authentication between getting a 
resident card and a certificate of tax payment, the 
holder can specify each depth of the authentication of 
the application file storing respective passwords used in 
asking for respective certificates. 
[0242] It is also apparent that the importance of per- 
sonal authentication differs in depth between payment 
for medical treatment fee and reception of telecommut- 
ing medical treatment. The authentication IC card of the 
invention can respond to even these cases. 
[0243] Further, a single authentication IC card may 
be used for plural purposes, for example, as a member's 
card, an personnel's card, an ID card for administrative 
services, a commuter's ticket, a prepaid card, a credit 
card, a telephone card, a shopping card, and an elec- 
tronic-cash card capable of updating the balance of the 
holder's debit account. 

[0244] Furthermore, the authentication IC card can 
be for temporary use such as to record a door opening 
code of a hotel room in a file of the authentication IC 
card at check-in and erase it at check-out. 
[0245] A forth embodiment of a user authentication 
card used in the user authentication system of the 
invention features that a guarantee or witness is added 
as a target to be authenticated with the authentication 
IC card as shown in Fig. 1 . 

[0246] As similar to the authentication IC card of the 
third embodiment, the authentication IC card of the this 
embodiment includes a CPU 201 for arithmetic process- 
ing, a ROM 202 for storing an arithmetic processing pro- 
gram, a RAM 203 for storing data used in the arithmetic 
processing, a data memory 204 capable of writing and 
reading data, an interface 205 for applet programs, an 
external connection circuit 206. and an external termi- 
nal 207. 

[0247] Files in the data memory 204 include an 
authentication file 210 storing authentication data and 
an application file 220 storing job programs for execut- 
ing specific jobs and various data. 
[0248] The authentication file 210 stores data used 
for proving the authentication IC card to be authentic 
and identity information of an authentic holder. The 
authentication information is not limited to one type, but 
plural types of authentication information can be stored 
in order to selectively use a single identity information 
alone or a plurality of information in combination. 
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[0249] The authentication file 210 is divided into a 
first identity file 211 storing identity information that 
proves the holder to be authentic by the authentication 
IC card, and a second identity file 212 storing identity 
information related to the second person such as a 5 
guarantee, witness or issuer, or authentication informa- 
tion related to the second organism. Two or more wit- 
nesses of the second persons or organisms may be 
used as required in the system. 

[0250] The application file 220 includes a first work 10 
file 221 storing part of information for dealing with the 
authenticity of the authentication IC card and a second 
work file 222 storing part of information for performing 
execution based on the authentication results. 
[0251] The second work file 222 stores information 15 
required for each service provider using the authentica- 
tion with classifying the information according to the lev- 
els of the required authentication. The file can also store 
keys of codes, electronic certificates, and so on, or may 
store various programs such as one for an undo-a-lock 20 
instructing job. 

[0252] The first work file 221 stores various jobs 
and information related to the authenticity of the authen- 
tication IC card, such as jobs for writing identity- informa- 
tion, jobs for reading/rewriting identity-information, and 25 
jobs for reading/erasing logs. 

[0253] The jobs and information stored in the first 
work file 221 can be divided, based on the required lev- 
els of confidentiality, into a group requiring authentica- 
tion of the holder only, a group requiring authentication 30 
of the second person only, and a group requiring 
authentication of the holder and the second person. 
[0254] The following section describes application 
of the authentication IC card of the embodiment with ref- 
erence to Figs. 12 to 14. 35 
[0255] Fig. 12 illustrates the process of issuing the 
authentication IC card. 

[0256] Upon receipt of a request for the issue of an 
authentication IC card (S111), the card issuer checks 
credit of the applicant to be authenticated by the 40 
authentication card (S112). If the applicant passes in 
the checks and is certified to use the authentication 
card, the card issuer requires the authenticated person 
to designate someone credible as a witness (S113). 
[0257] Upon issue of the authentication IC card, all 45 
the persons concerned gather at a specific card issuing 
station (S114). At first, the authentication IC card and 
the card issuing device are confirmed to be authentic 
(S115), and if the authentication IC card is permitted to 
be issued (S116), the respective persons input identity so 
information (S117). 

[0258] The function to confirm the authenticity of 
the card reader is provided in the authentication IC card 
in order to prevent the contents of information stored in 
the authentication IC card from getting stolen or rewrit- 55 
ten. 

[0259] The person to be a card-holder inputs sev- 
eral identity information, such as passwords, specific 



signs or marks, signature, fingerprints, a voiceprint, an 
iris pattern, a palm-print, and so on, so as to use selec- 
tively depending on the degree of the credibility required 
in respective transactions through the card. Witnesses 
may also be required to input plural pieces of identity 
information, but since there are few cases where the 
witnesses are authenticated, it is not necessary for 
them to use various identity information. The witness 
may be an organism as an organization or institution. In 
this case, the authentication of the witness may be exe- 
cuted based on certification information as an electronic 
signature instead of the biological information. 
[0260] The authentication IC card may be used in a 
company for confirming various authority powers. In this 
case, a manager in the personnel department responsi- 
ble for issue of cards or a person in charge of issuing 
cards may be authenticated as the card issuer or wit- 
ness, or a manager in a department to which the card 
holder belong may be authenticated. 
[0261] The input data of identity information of the 
holder is stored in the first identity-information file 211; 
the identity information or certification information of the 
witness is stored in the second identity-information file 
212. An electronic certificate describing the reliability 
and evidence of the authentication may be required in 
the authentication process. Such an electronic certifi- 
cate to be issued by the authentication IC card is stored 
in the second work file 222 of the application file 220 
together with the application data for use in various 
transactions (S118). 

[0262] Programs for displaying or rewriting the iden- 
tity information recorded in the authentication IC card is 
stored in the first work file 221 , and access to the pro- 
gram is permitted only after being satisfied -with at! the 
steps of authentication predetermined according to 
respective jobs. 

[0263] After the above required information has 
been written in the authentication IC card, the issuer's 
officer tests the authentication IC card on the perfection 
of product such as to confirm that the authentication IC 
card operates properly when the authenticated person 
inputs proper identity information (S119). If the authen- 
tication IC card has passed in the test, it is issued to the 
card holder (S120). If not passed in the test, necessary 
steps such as the authentication information writing 
step (S118) is repeated so that the authentication IC 
card can be repaired and getting good enough to issue 
the card holder. 

[0264] Upon the pre-qualification of the authenti- 
cated person (S112), if the card issuer judged the per- 
son to be ineligible to use the card in the authentication 
system, the issue of the authentication card is refused 
(S121). 

[0265] This type of authentication IC card can be 
used in a mechanism in which a code signal for permit- 
ting each service or transaction (hereinafter, referred to 
as transaction) is prerecorded in the authentication IC 
card carried by a person who has qualified to do the 
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transaction, and the transaction is permitted by confirm- 
ing that the person carrying the authentication iC card is 
the authentic holder. 

[0266] in this case, the person in charge of the 
transaction receives information from the authentication 5 
IC card to confirm that the person carrying the authenti- 
cation IC card is the authentic holder and that the code 
signal proving the eligibility of the authentication IC card 
to receive the transaction is recorded. On the other 
hand, the authentication IC card confirms that the 
reader is authentic and the person carrying the card is 
authentic holder 

[0267] Since the authentication IC card stores 
attributes of the holder, authentication functions for all 
the qualified transaction utilization can be incorporated 
in one card, including entrance into a building or 
morgue, a bank account or holding a credit card, a fam- 
ily register or history, balance of a debit account in case 
of using an electronic-cash card. 
[0268] Such an authentication IC card can be used 
for managing entrance into housing in the same manner 
as in the third embodiment, and in this case, this 
embodiment offers highly reliable authentication hard 
for others to pretend the card holder. 
[0269] The authentication IC card chooses some of 
various kinds of the identity information depending on 
the situations, and this may cause even the authorized 
holder to forget the genuine identity information to be 
used on the spot. To avoid such inconvenience of not 
being able to use the card, the identity information 
recorded in the card can be shown, in general. 
[0270] Further, the holder may periodically change 
the identity information to prevent from leaking or get- 
ting stolen by others, or to improve security It is there- 
fore preferable that the identity information is 
changeable as required by the card holder. 
[0271] It is not easy to prevent a person having pro- 
found knowledge about the authentication IC card and 
operation of the equipment from evilly withdrawing infor- 
mation stored in the authentication IC card and falsify- 
ing the card or making false authentication IC cards. 
[0272] To prevent such cases, the authentication IC 
card of the embodiment requires the authentication of a 
witness for predetermined jobs. If the authentication of a 
witness is required at the time of access to the authen- 
tication information of the authentication IC card, even 
the person who is well-informed about inside informa- 
tion cannot steal or rewrite the identity information. 
[0273] Fig. 13 is a flowchart illustrating the proce- 
dures required when an authorized person to be 
authenticated confirms his or her own identity informa- 
tion. 

[0274] When the identity information of an authenti- 
cated person is read out from the authentication IC card 
(S131), the authenticated person concerned, the per- 
son to be authenticated, the witness at the card issue, 
and the person in charge at the card issuing station, or 
the organism of the organization assemble themselves 



(S132), and after confirming of the authenticity of the 
card (S133), they input respective identity information or 
authentication information (S134). 
[0275] If the identity information or the authentica- 
tion information of respective persons or organism 
match with those stored in the authentication IC card 

(5135) , the fact of current access to the card is logged 
up into the memory of the authentication IC card 

(5136) , then the recorded identity information is dis- 
played on a display attached to the card reader (S137). 
If all the necessary information such as the identity 
information do not match with each other, the current 
access is regarded as ineligible, and the display of the 
identity information is refused (S138). 

[0276] in this case, the card-authenticated person 
inputs one type of the identity information that he or she 
remembers, and if the input identity information 
matches with a corresponding information stored in the 
authentication IC card, the current access is regarded 
as eligible. In another possible case, an identity informa- 
tion is shown only when the identity information to be 
displayed is authenticated by a higher-level of the iden- 
tity information. For example, when an authenticated 
person cannot remember the password, the forgotten 
password is disclosed by referring to the fingerprint, 
while a signature is not to be displayed even if the pass- 
word matches with that recorded in the authentication 
IC card. 

[0277] The identity information not requiring a high 
level of security may be disclosed merely by identifying 
only the card holder using the identity information based 
on the biological individuality of the holder, without 
assembling the witness or the like. Further, in specific 
cases, the person in charge of issuing the card can take 
responsibility for reading out certain information at his or 
her discretion. 

[0278] Fig. 14 is a flowchart illustrating the proce- 
dures when the identity information is renewed or rewrit- 
ten. 

[0279] When the authenticated person requests the 
issuer to renew or rewrite the identity information 

(5141) , the witness and the person in charge of the 
issuer gather together with the authenticated person 

(5142) to confirm the approval of all concerned. This is 
because if renewal of the identity information is 
accepted by approval of only the authenticated person, 
there is a possibility that an unauthorized person 
renews the identity information to use the card illegally. 
After extracting the approval from all concerned, the 
authentication IC card and the issuing device confirm 
each other on their authenticity (S143), and all the per- 
sons gathered together input respective identity infor- 
mation or authentication information (S144). If the input 
of the identity or authentication information matches 
with that stored in the authentication IC card (S145), the 
renewal of the identity information is permitted. 
[0280] When all persons pass in respective authen- 
ticity, the identity information formerly recorded in the 



15 



20 



25 



30 



35 



40 



45 



50 



20 



39 



EP 1 085 424 A1 



40 



authentication IC card is transferred to an external 
memory (S146), and logs of being renewed or rewritten 
are recorded in the authentication IC card (S147). Fur- 
ther, unnecessary old identity information data is erased 
(S148), while the card holder inputs new identity infor- 5 
mation (S149). The new identity information data is then 
stored in the authentication IC card (S150). 
[0281] After that, the issuer's officer tests the 
authentication IC card on the functions (S151). If the 
authentication IC card has passed in the test, it is issued w 
to the card holder (S152). If authentication IC card is 
defective, the identity information is renewed again, and 
the authentication IC card is issued to the card holder 
when the card passes the test. 

[0282] If anyone of the persons concerned fails in 15 
the authentication, renewal of the identity information is 
refused because there may be an unauthorized access 
(S153). 

[0283] When the identity information is read out or 
rewritten, it may be a cause of abnormality such as 20 
unauthorized use of the card. It is therefore preferable to 
record logs on the authentication IC card itself. 
[0284] The authentication IC card of the embodi- 
ment can require the approval of a witness or the like for 
read-out or renewal of the identity information, so that 25 
not only others who picked up or robbed the authentica- 
tion IC card cannot use or falsify the authentication IC 
card, but also someone having profound knowledge 
about the authentication IC card issuing device, the 
reader, and the rewriting device cannot use the authen- 30 
tication IC card without the approval of the witness. The 
authentication IC card thus offers a superior level of 
security. 

[0285] The user authentication system and the 
authentication IC cards according to the invention are 35 
applicable to a lock control system. 
[0286] A first embodiment of a lock control system 
according to the invention is the application of the 
authentication system to safe-deposit box control. In the 
embodiment, the authentication data registered in the 40 
authentication IC card is used to identify the user, and 
this makes it possible to offer a high level of security. 
[0287] Referring to Fig. 15, a key card issuing sta- 
tion 301 issues a specific IC card as a key card 302 to a 
user who applies to use a safe-deposit box. A safe- 45 
deposit box 303 reads out the key card 302 and authen- 
tication data of the user, and when the key card 302 
passes in the authentication, it unlocks the safe box 
designated by the key card 302. 

[0288] The key card issuing station 301 is furnished so 
with a host computer 311, a data input/output device 
including a display and a keyboard, an identity data 
input device 313, and a reader/writer 314 for issue of 
key IC cards. 

[0289] When a user applies for a safe, the key card 55 
issuing station 301 has the user input the identity data 
from the identity data input device 313. The identity data 
are used to authenticate the user. 



[0290] The host computer 31 1 has key-card issuing 
software, key-control software, and authentication-data 
registering software in its software configuration. The 
key-control software grasps the current usage situation 
of the safe boxes, makes a safe correspondent to the 
key card, manages safe levels of locks and specifies the 
kind of authentication data, as well as it manages the 
card issue and return situation and erases the recorded 
contents of a returned key card securely. 
[0291] The data input/output device 312 includes a 
display, a keyboard, a printer, and something like that, 
generally required in a computer system. 
[0292] The identity data input device 31 3 is a device 
for inputting information by which the user can be iden- 
tified, which may include a fingerprint reader extracting 
a fingerprint pattern of a finger pressed thereon and 
classifying it, a voiceprint recognizing device consisting 
of a microphone and a voiceprint analyzer, and a tablet 
for writing a signature or signal code, in the simplest 
case, only a keyboard may be provided for entering a 
character string of code. 

[0293] The reader/writer 314 for issuing key-cards 
is constituted of an IC card reader/writer and a com- 
mand for the IC card reader/writer. 
[0294] The key-card issuing station 301 designates 
a safe for rent, stores an authorized ID allowing use of 
the safe and the authentication data of the individual 
user obtained at the identity data input device 313 into a 
memory area that operates under control of a CPU in 
the authentication IC card, and issues and gives the, 
authentication IC card as a key card 302 to the user. 
[0295] The key card 302 is an IC card having a CPU 
and a built-in memory thereon. 
[0296] The safe-deposit box 303 is provided with an 
undo-a-lock processing device 331 having an IC card 
reader/writer and an identity data input unit, and a plural 
number of locker-type safe boxes 332. The undo-a-lock 
processing device 331 has safe control interface and 
authentication data checking software. Each safe box 
332 is equipped' with an electric controller; it is locally 
operated to lock or unlock. 

[0297] Abnormality sensors for detecting abnormal 
situation and an alarm for alerting the abnormality may 
be provided to ensure security in an unmanned system. 
[0298] The user of the safe-deposit box stores 
things in a safe box 332 assigned to the user among the 
safe boxes in the safe-deposit box system 303. The 
user then locks the safe box. Once the safe box is 
locked, the safe box can be unlocked via the undo-a- 
lock processing device 331 only when the identity data 
input by the user on the spot is judged to be within an 
acceptable range in checking theory that recognizes it 
matches with the authentication data read out from the 
key card 302 presented by the user. 
[0299] According to the control system, even rf the 
key card 302 is authentic, the safe box cannot be 
unlocked without authenticating the person carrying the 
card. Thus, the safe-deposit box offers a high level of 
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security, and the control system does not need the 
approval of any witness such as a superintendent. It is 
therefore possible to run the safe-deposit box in an 
unmanned control system or the like. 
[0300] The system can also use plural kinds of 
authentication information to selectively set safe levels 
of the safe boxes. When safe levels are selectable, the 
user of the safe-deposit box can select authentication 
information to be used in consideration of the value of 
things to be stored in the safe box and the ease-of-use. 
The user may be identified by his or her signature if 
requiring a superior level of security, or identified merely 
by a character code if selecting a quick and easy way. 
[0301] Further, the system can combine more than 
two. kinds of information into the information to be 
checked at a time, and this makes possible much safer 
type safe boxes. 

[0302] Furthermore, a safe box may be assigned at 
the time of issuing a key card 302, and an ID code cor- 
responding to the assigned safe box is entered into the 
IC card at the same time. In this case, even if unused IC 
cards got stolen, there is less danger of illegal use. 
[0303] The same lock control system is also appli- 
cable to other storage facilities to which plural persons 
access, such as integrated type safe boxes or lockers, 
or key boxes in a building management system. 
[0304] A second embodiment of a lock control sys- 
tem according to the invention is the application of the 
authentication system to storage control. In the embod- 
iment, a person is identified by checking the IC card and 
his or her handwritten signature, and only the person 
permitted can enter a storage and take out only the per- 
mitted things. In the storage, important things, medi- 
cines, strong medicines, poisons, and so on are safely 
stored. 

[0305] The system has various functions for 
enhancing the security and reliability of storage such as 
a sensor notifying of unauthorized person's accessing 
to the storage and circuitry to switch the lock to the 
security side of the system against attacks from the out- 
side. 

[0306] Fig. 16 is a block diagram of a lock control 
system applied to a storage. 

[0307] A storage 305 is partitioned into plural stor- 
age rooms 351, 352 and 353. The storage room 351 
has small rooms or storage lockers 354, 355 and 356. 
[0308] The plural storage rooms and small rooms 
are different from each other in security level; they can 
be selectively used according to the confidential levels 
of stored things. 

[0309] Taking a specific case as an example, a 
company has the storage 305 in which the first storage 
room 351 stores such confidential documents that part 
of members of the company can enter the room and 
handle them. Of the confidential documents, the most 
confidential ones are stored in the first small room 354 
in the first storage room 351 , and only a few members 
further selected out of the ones allowed to enter the first 



storage room 351 can access to the first small room 
354. The second small room 355 is, for example, a room 
for personnel documents, and only the persons in 
charge of the personnel department are permitted to 
5 access the second small room 355. The third small 
room 356 is a room for accounting documents so that 
only the persons in charge of the accounting depart- 
ment can access thereto. 

[0310] The second storage room 352 is a room for 

10 storing materials relevant to development projects that 
need to be prevented from leaking the relevant informa- 
tion to the outside. Therefore, only the persons in the 
department concerned are allowed to enter the room. 
On the other hand, the third storage room 353 is a room 

15 for storing documents that is relatively low in impor- 
tance, so that any personnel can enter the room, but 
going in and out of the staff is recorded. 
[0311] The same system can be applied to an inde- 
pendent storage such as a safe box 357. 

20 [0312] As similar to that in the first embodiment, the 
storage control system of the embodiment sets qualifi- 
cations for entering each storage room or small room, 
and issues IC cards as key cards 302 to only the quali- 
fied staff. Thus, the staff qualified by authenticating per- 

25 sonal identification based on the key card 302 can 
unlock the room allowed. 

[0313] In other words, the key card 302 stores, in its 
storage area operable under control of a CPU in the IC 
card, information designating a lock which is allowed to 
30 access and personal authentication data which is 
obtained and processed by the identity data input 
device. 

[0314] The storage 305 is also furnished with a lock 
control device 304 that includes an IC card reader/writer 

35 342 for reading out the key card 302, a tablet 343 as an 
identity data input device, a control unit 341 capable of 
exchanging information, and an interface 344 for con- 
trolling locks in each storage partition. 
[0315] The storage rooms 351, 352, 353, the small 

40 rooms 354, 355, 356, and the door of the safe box 357 
are equipped with electric locks operable under local 
control of the lock control device 304. Each door is also 
equipped with an abnormality sensor 358 that detects 
access to the room and sends a signal to the lock con- 

45 trol device 304. 

[0316] Indication lamps may be equipped with the 
doors and the lamps light to instruct the accessing per- 
son which doors are permitted to open. 
[0317] When entering the storage 305, the user 

so inserts the key card 302 into the card reader/writer 342, 
and inputs, by means of the tables 343, a code that the 
user has determined at the time of registration. The 
control unit 341 confirms that the key card 302 is the 
authentic IC card and which lock the key card 302 cor- 

55 responds to by referring to the contents of the records 
sent from the key card 302 through the CPU. 
[0318] Then, the identity information such as a sig- 
nature input from the tablet 343 is checked with the per- 
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sonal authentication data presented from the key card 
302, and judged to be identical or not. If the authentica- 
tion data checking software confirms that both accord, 
the user is judged to be a person who has access to the 
lock specified by the key card 302, and the designated 5 
lock is released. 

[0319] If the user tries to access areas beyond the 
control area allowed, the sensor operates to issue an 
alarm. In case of unauthorized access, the area may be 
automatically locked so that the person who got unau- 10 
thorized access is trapped in the room. 
[0320] Further, to prevent well-intentioned persons 
from getting access to incorrect area by mistake, indica- 
tion lamps may be provided at the locks, the room or 
shelves so that when a lock is allowed to release based 15 
on the key card 302, a corresponding indication lamp is 
lit. 

[0321] The depth of authentication can be predeter- 
mined according to the level of security for each room. 
The room may requires such a level of security as to 20 
allow the access merely by presenting the key card 302, 
or may require an input code to be equal to the recorded 
code in shape, stroke order, and stroke pressure. Fur- 
ther, the room may require a higher level of evidence 
such as a combination of password and signature. 25 
[0322] In response to these different levels of secu- 
rity, plural kinds of authentication information data may 
be stored in one key card 302 so that a corresponding 
data of authentication information will be read out and 
checked for each lock to be accessed. 30 
[0323] Alternatively, different kinds of identity data 
input means can be provided in the storage 305 so that 
one of the identity data input means can be selected 
according to the required level of authentication. In gen- 
eral, since the authentication information corresponding 35 
to high levels of security take much time and effort, 
locks that do not require such high levels of security 
may be released in an easier authentication manner for 
the users' convenience. 

[0324] Further, accurate authentication information 40 
is selected out of plural kinds of information data, and 
this makes it easy to eliminate unauthorized access. If 
the user can select the combination of the identity data, 
the security of authentication is further improved, and 
this makes is more difficult for others to pretend the as 
user. 

[0325] Furthermore, since in the control system 
each person's access to locks can be grasped securely 
in an individual base, it is possible to automatically 
record who accesses to, when and which storage room so 
(or storage shelf) the person accesses to. 
[0326] In blackout situations or during power-down, 
the system is to be locked on the security side to ensure 
the confidentiality of information. It is preferable to pro- 
vide a mechanism for giving the alarm to the control 55 
room when an abnormal condition occurs such as an 
act of vandalism against the storage. 
[0327] It is also preferable to provide a superintend- 



ent's level of authentication to allow the superintendent 
to undo the lock in case of emergency. 
[0328] Although the embodiment described the 
example of document management, the same mecha- 
nism is applicable to a medicine storage and medicine 
cabinets or lockers in which medicines are manageably 
stored according to the risk factors. 

Industrial Applicability 

[0329] As described above, the user authentication 
system according to the invention checks identity infor- 
mation directly input by the user at the authentication 
access terminal with biological individuality data stored 
in the authentication card. Then, when a higher level of 
authentication is required, part of the identity informa- 
tion is sent to the upper certification authority for 
authenticating personal identification. Thus, most of 
information processing steps are performed at the 
authentication access terminal without heavy loads on 
the communication channels, so that user authentica- 
tion can be obtained according to the required level of 
security Further, the identity information can be divided, 
and this makes it possible to establish a user authenti- 
cation system highly resistant to attacks. 
[0330] The authentication IC card according to the 
invention accesses information through the CPU, so 
that authority power for accessing files can be arbitrarily 
sets, thus unauthorized accesses are prevented by 
making use of the identity information. It is therefore 
possible not only for the card holder to protect his or her 
privacy, but also for service providers to offer safe trans- 
actions. Further, when using many services, the user 
can reduce the number of carrying cards. \ 
[0331] Furthermore, the authentication IC card 
according to the invention can require the approval of a 
second person at the time of issue, so that there is less 
danger of piracy, thereby enhancing the security. 
[0332] The lock control system according to the 
invention authenticates authorized persons properly to 
offer a high level of security. This makes it possible to 
establish a storage management system or safe- 
deposit box control system safer than that in the con- 
ventional. 

Claims 

1 . A user authentication system comprising a registra- 
tion station provided with an information acquisition 
device for obtaining biological individuality data for 
distinguishing individuality of a user, an authentica- 
tion card issuing station that issues to the user a 
user authentication card recorded with a divided 
part of the biological individuality data, an authenti- 
cation access terminal provided with an authentica- 
tion-card reader for reading the information of the 
user authentication card and an identity acquisition 
device for inputting biological individuality data of 
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the user, and at least one certification authority that 
is connected to the authentication access terminal 
through an information communication channel, 
wherein the certification authority holds the record 
of the remaining part of the biological individuality 5 
data that have obtained at the registration station 
but not recorded in the user authentication card, the 
recorded contents in the user authentication card 
read out by the authentication card reader are com- 
pared with the biological individuality data of the 10 
user obtained on the spot through the identity 
acquisition device to authenticate identification of 
the user at the authentication access terminal, and 
if a higher level of authentication is required, the 
certification authority compares the biological indi- 15 
viduality data of the user obtained at the authentica- 
tion access terminal with the part of the biological 
individuality data missing in the user authentication 
card in response to inquiry from the authentication 
access terminal and sends the comparison result to 2 o 
the authentication access terminal for further 
authentication. 

2. A user authentication system according to claim 1 , 
wherein the user authentication card has an com- 25 
puting function and the computing function exe- 
cutes calculation of authenticating personal 
identification at the authentication access terminal. 

3. A user authentication system according to claim 2, 30 
wherein the information exchanged through the 
information communication channel is encrypted. 

4. A user authentication system according to any of 
claims 1 through 3, wherein the two or more certifi- 35 
cation authorities dividedly record part of the bio- 
logical individuality data obtained at the registration 
station but not recorded in the user authentication 
card, and one certification authority compares the 
biological individuality data of the user input at the 40 
authentication access terminal with the part of the 
biological individuality data stored in the certifica- 
tion authority in response to inquiry from the 
authentication access terminal or other certification 
authority for further authentication. 45 

5. A user authentication system according to any of 
claims 1 through 4, wherein the certification author- 
ity is provided with a memory device for recording 

the biological individuality data obtained at the reg- 50 
istration station. 

6. A user authentication system according to any of 
claims 1 through 5, wherein plural kinds of biologi- 
cal individuality data are registered so that different 55 
transactions can be conducted in response to the 
kind of the input data. 



7. A user authentication device comprising an authen- 
tication-card reader for reading out information 
recorded in an authentication IC card, an identity 
acquisition device for inputting biological individual- 
ity data of a user, a judgment device for checking 
the biological individuality data of the authentication 
IC card read out by the authentication-card reader 
against the biological individuality data input on the 
spot through the identity acquisition device and for 
judging acceptance of the user, a communication 
unit for transmitting at least a part of the biological 
individuality data of the user input through the iden- 
tity acquisition unit to a certification authority out- 
side and receiving an authentication result of the 
certification authority, and a display device for dis- 
playing a judgment result. 

8. An authentication IC card comprising a CPU, an 
authentication file storing identity information, and 
an application file classified into files according to 
the depth of authentication, wherein when 
requested from the outside to present information 
recorded in the application file, the CPU compares 
identity information input from the outside with the 
identity information stored in the authentication file, 
and confirms the depth of authentication, whereby if 
an acceptance is derived from the comparison, the 
information of the application file is presented 
through the CPU. 

9. An authentication IC card comprising a CPU, an 
authentication file storing identity information, and 
an application file classified into files according to 
the depth of authentication, wherein when 
requested from the outside to present information 
recorded in the application file, the CPU outputs the 
identity information stored in the authentication file, 
whereby access to the application file is allowed 
through the CPU based on the judgment result from 
an external device. 

10. An authentication IC card according to claim 8 or 9, 
wherein each file of the application file records an 
ID indicative of the authority to conduct each target 
transaction. 

11. An authentication IC card according to any of 
claims 8 through 10, wherein qualification condi- 
tions to access each application file are pre-regis- 
tered so that only the qualified persons are allowed 
to access the corresponding file. 

12. An authentication IC card comprising a CPU, an 
authentication file storing identity information or 
both of identity information and authentication infor- 
mation, and an application file storing job programs 
or data classified according to the depth of authen- 
tication, and when access to the application file is 
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requested from the outside, the authentication IC 
card allowing the access as a result of judgment 
based on the identity information or the authentica- 
tion information of the authentication file, wherein 
the authentication file stores identity information on 5 
at least one second person other than the first per- 
son subject to personal authentication with the 
card, or authentication information on at least one 
organism with predetermining a job or data to 
request for authenticating the second person or 10 
organism, and when requested to execute such a 
specific job as to request for authenticating the sec- 
ond person or organism, or to show the data, the 
CPU compares identity information or authentica- 
tion information input by the second person or the 1S 
organism from the outside with the identity informa- 
tion or authentication information of the authentica- 
tion file to allow execution of the specific job or 
showing the data when the authentication is 
acceptable. 20 

13. An authentication IC card according to claim 12, 
wherein the CPU outputs the identity information or 
authentication information stored in the authentica- 
tion file to the external device, whereby access to 25 
the application file is allowed through the CPU 
based on the judgment result from the external 
device. 



18. A lock control system according to claim 16 or 17, 
wherein the IC card can selectively record plural 
kinds of personal authentication data. 

19. A lock control system according to claim 18, 
wherein the lock is provided in each control district 
of a storage that is divided into plural control dis- 
tricts so that the personal authentication data can 
be selected for each control district. 



14. An authentication IC card according to claim 12 or 
13, wherein authentication of the persons or organ- 
ism is executed for both the first person and the 
second person or organism, whereby access to the 
application file is allowed when both has passed in 
the authentication. 

15. An authentication IC card according to any of 
claims 12 through 14, further comprising a file for 
electronic certificates on which the contents of 
authentication are recorded so as to present an 40 
electronic certificate indicative of the contents of 

the authentication used for access to the applica- 
tion file. 
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16. A lock control system comprising an IC card reader 45 
and an identity data input device, wherein the IC 
card reader reads out an IC card recording per- 
sonal authentication data of a user so that identity 
data input through the identity data input device is 
checked with the personal authentication data so 
recorded in the lOcard, whereby a corresponding 
lock is opened when the user passes in the per- 
sonal authentication. 



17. A lock control system according to claim 16, 55 
wherein the personal authentication data recorded 
in the IC card include user's living body information 
data or information data created by the user. 
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